Popular password manager LastPass says master passwords are safe, despite many users believing otherwise.
Password managers are important elements in cybersecurity. A good password manager saves the many different passwords users collect, notifies them when one is too easy or has been compromised, and suggest strong passwords. A good password manager secures its database of passwords with a master password that must be input to access the saved ones.
LastPass is one of the most popular of these programs. Early Tuesday, users began noticing suspicious activity, with login attempts from different locations using their master passwords.
According to AppleInsider many of the cases involve accounts that haven’t been used in a while, accounts using old master passwords. While this would seem to indicate a hack involving the list of master passwords, specifically a hack involving an old list, some users report continued login attempts even after changing their password.
Despite the anecdotal evidence to suggest the list of master passwords was compromised, LastPass says its service was not breached or compromised.
Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.
It remains to be seen if LastPass is correct, or if further investigation will reveal additional details. Either way, it is a disconcerting turn of events for a service that many people rely on to keep their online activity safe.