Having a key manager to easily log into social networks, bank accounts or email is common. There are many options, but without a doubt one of the most famous is LastPass. Now, users of this service have encountered an alert message stating that their master password is compromised. A problem that undoubtedly puts privacy and security at risk.
Master password compromised in LastPass
Many LastPass users have reported receiving an alert message stating that their master key it had been compromised. Specifically, the message alerted that someone had tried to use it to log into accounts through unknown locations.
However, those notifications they indicated that attempts to log in had been blocked due to being in unknown locations. Keep in mind that this is common and that many online services use it for security reasons. For example, if we open the bank account from an unknown location, such as another country, in many cases we must verify the identity and thus avoid attacks.
Specifically, the message said that someone had tried to use the master key to try to log in from a unknown device or location. That caused LastPass to block the attempt and prompted the user to be careful and check that out.
As reported from LastPass, it is an attack attempt known as Credential Stuffing. Basically it is a type of attack that is based on vulnerabilities to steal passwords and database credentials.
These are bots that have tried to access LastPass user accounts using email addresses and passwords that they have previously obtained through breaches in other services. They use those credentials basically to test entering the key manager.
There is no indication that it was successful
From LastPass they assure that there is no indication that suggests that these attacks have been successful. They report that they constantly monitor this type of activity to detect possible irregularities and have not detected anything strange.
However, some users claim that their passwords are unique to LastPass, so they have not been leaked in any other online service. This makes the theory that they have been able to take advantage of other services that have suffered a previous problem, may not be true.
However, from LastPass they remain firm in that there has been no unwanted access and that everything has been monitored. There is nothing to suggest that an attacker has really succeeded in breaking into someone else’s accounts.
From RedesZone we recommend change Password LastPass teacher to prevent. In addition, the ideal thing if you have an account in LastPass or any other key manager, is to change the password periodically in all linked services. This reduces the possibility of problems appearing and that an attacker can take advantage of it to gain access to any online service that has been linked to that password manager.
