January 21, 2022

LastPass says an error, not hackers, triggered some safety alerts

LastPass, the service that secures your particular person account passwords behind a single grasp password, was the topic of latest safety considerations this week as customers reported uncommon exercise warnings. The corporate initially described the warnings as possible ensuing from credential-stuffing exercise however has since clarified {that a} system error might have induced a few of the alerts.

Tada Photos/Shutterstock

The difficulty

LastPass customers took to social media websites this week to report that they’d acquired emails warning them about blocked makes an attempt to register to their accounts. The variety of experiences rolling in from customers raised questions over whether or not there had been a bigger safety breach at LastPass, although the corporate was fast to disclaim it (by way of Twitter).

Fueling the hypothesis was a seemingly associated challenge by which some customers, together with myself, acquired alerts warning that somebody had tried to make use of the account’s grasp password, which is basically the password for the LastPass vault. If the LastPass person set their grasp password as one thing they’d beforehand used on a unique platform that leaked it to the broader Web, it’s doable the login makes an attempt may very well be the results of credential-stuffing efforts.

LastPass logo magnified

IB Pictures/Shutterstock

Nevertheless, in my case, the LastPass grasp password on my account was robotically generated utilizing the browser’s password generator. The grasp password is a protracted collection of random characters that can’t fairly be guessed, and, of explicit significance, I’ve by no means used the password on every other account or platform.

Because of this, it’s not doable my grasp password was beforehand leaked by a unique service, then swept up by hackers trying to get into accounts by credential stuffing — a time period that refers to repeatedly trying to log into accounts utilizing identified passwords and variants of them in hopes that one works.

A number of claims surfaced on social media from customers who mentioned they, too, used distinctive grasp passwords for his or her LastPass accounts that weren’t beforehand used on different platforms (1,2). In gentle of this, we reached out to LastPass for clarification on what could also be inflicting these customers to obtain the safety alerts.

One challenge results in one other

Password field on website


Based on the corporate, its investigation discovered proof that an error might have resulted in some customers receiving safety warnings when there hadn’t, the truth is, been any makes an attempt made to entry their accounts. Based on LastPass, it continued to research the matter after discovering no proof of a safety breach, particularly wanting into the reason for the automated safety warnings some customers have been receiving.

In a press release on the matter, LastPass VP of Product Administration Dan DeMichele defined:

Our investigation has since discovered that a few of these safety alerts, which have been despatched to a restricted subset of LastPass customers, have been possible triggered in error. Consequently, we’ve got adjusted our safety alert programs and this challenge has since been resolved.

These alerts have been triggered on account of LastPass’s ongoing efforts to defend its clients from dangerous actors and credential stuffing makes an attempt. It’s also necessary to reiterate that LastPass’ zero-knowledge safety mannequin implies that at no time does LastPass retailer, have information of, or have entry to customers’ Grasp Password(s).

We’ll proceed to often monitor for uncommon or malicious exercise and can, as essential, proceed to take steps designed to make sure that LastPass, its customers and their information stay protected and safe.

Along with a press release on the matter, LastPass has printed a weblog put up detailing a few of the security options utilized as a part of its system, together with how its “zero-knowledge” mannequin works and why regardless of that, customers should be sure you use sturdy, distinctive grasp passwords. Customers who need an additional layer of safety and peace of thoughts also needs to contemplate enabling multi-factor authentication on their accounts to raised shield them once more intruders.

Leave a Reply

Your email address will not be published. Required fields are marked *