2 min read

LastPass Master Passwords Compromised in Mystery Attack

Filip TRUȚĂ

December 29, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
LastPass Master Passwords Compromised in Mystery Attack

LastPass is warning customers that someone else appears to have their master password and is trying to access their password vault from a different location. Users are up in arms on forums and social media, as some see even brand new passwords getting compromised as soon as they are changed.

For the past 24 hours, LastPass users have been receiving email warnings from the mother company saying, “Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look. Was this you?”

Unsurprisingly, the issue was raised in online media as more and more users got the warning.

Reset passwords compromised hours later

Fearing that bad actors might get to their password vaults, many rushed to change their master password only to find out hours later that the new password had been compromised as well.

In the meantime, the company said in a press statement that hackers are running a typical credential stuffing operation, trying to match reused passwords from data breaches.

“LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted ’credential stuffing‘ activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,” the company said. “It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”

The only problem with the credential stuffing theory is that unique, all-new passwords are getting compromised as well, meaning the issue runs much deeper.

Breach? 2FA capture? No one knows

The initial theory was that attackers got their mitts on all-new password dumps from recent malware operations. Others theorize that LastPass itself is suffering a security breach.

Perhaps it’s more likely that attackers are using phishing kits capable of capturing two-factor authentication (2FA) tokens in real-time in what is known as Man-in-the-Middle (MitM) phishing. However, this would imply that victims are already infected with info-stealing malware.

So it’s still a mystery as to how even newly reset passwords are getting compromised. Since multi-factor authentication could very well be the key to this issue, it’s probably a good idea to set LastPass aside until the situation clears.

Stay safe!

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Apple Patches New Zero-Day and Nasty Privacy Bug with iOS 15.3 and macOS 12.2 Apple Patches New Zero-Day and Nasty Privacy Bug with iOS 15.3 and macOS 12.2
Filip TRUȚĂ

January 27, 2022

2 min read
Microsoft Uncovers New SolarWinds Vulnerability While Analyzing Log4j Exploit Activity Microsoft Uncovers New SolarWinds Vulnerability While Analyzing Log4j Exploit Activity
Silviu STAHIE

January 26, 2022

1 min read
Take Your QNAP NAS Offline! DeadBolt Ransomware Locks Devices via Alleged Zero-Day Flaw Take Your QNAP NAS Offline! DeadBolt Ransomware Locks Devices via Alleged Zero-Day Flaw
Filip TRUȚĂ

January 26, 2022

1 min read