Many users of reputable password manager LastPass say they’ve received an email alerting them to an attempt to sign in to their account using their master password. If the thesis of a cyberattack was initially accepted, the teams of LastPass confirm that some emails are errors while others are the product of credential stuffing.
On Twitter, Reddit or the forum of the specialized site HackerNews, many LastPass users have expressed their concern. Indeed, they received an email warning them an attempt to connect to their account using their master password, thus suggesting that it has been compromised.
“Someone just used your master password to try to sign in to your account from a device or location that we didn’t recognize. LastPass blocked the attempt, but you should take a closer look. Was it you? ”, could we read in these mails.
Frightened by this security alert, users immediately modified the precious sesame. Only, they continued to receive warning emails, potentially indicating that the new master password was threatened every time. In fact, users quickly speculated that there was a cyberattack or a security breach at LastPass.
Also read: LastPass Free will no longer be completely free from March 16, 2021
LastPass has it covered, no cyberattacks or vulnerabilities to report
However, the password manager teams cut the concerns short. They claim to have no evidence of a data breach and that no master password has been compromised. After investigation, LastPass assures that these emails are related to attempts to credential stuffing. This technique involves attempting to access an account (in this case, LastPass) using email addresses or passwords obtained through breaches or cyber attacks on other services.
The pirates are therefore betting that users use the same password on their different accounts. “It is important to note that at this time we have no indication that the accounts or the LastPass service have been compromised. We regularly monitor this type of activity and will continue to take steps to ensure that LastPass, its users and their data remains protected and secure ”, ensures LastPass.
If no cyber attack is the cause of sending these security alert emails, who is? LastPass continued its investigations and clarified that “these security alerts, which were sent to a limited subset of LastPass users, were probably triggered in error ”. To prevent the problem from recurring, LastPass has “adjusted its automated security alert systems ”. Despite everything, we still advise you to change your master password, enable two-factor authentication, and monitor suspicious login attempts. LastPass has been hacked in the past, especially in 2015.