LastPass users who received security alerts that someone was attempting to access their Master Password can now breathe a sigh of relief. Well, sort of. What was initially thought of as a security breach or more like a credential-stuffing activity is actually a system error on the part of the password management service. The alerts sent to a small subset of users were “likely triggered in error” and that they have since resolved the issue by adjusting their security alert systems.
When reports started coming in that some LastPass users were receiving email security alerts, the company started investigating the matter. Their initial statement was that there was no breach within their servers and that the Master Passwords were not leaked. They said that the triggers were most likely coming from attempted “credential stuffing” which meant that usernames and passwords that were used in other services not related to LastPass may have been hacked or these hackers were trying to use it to gain access to the all-important Master Password.
However, some users said that was impossible as their password was automatically generated by a password generator and was not used in any other service. When LastPass continued to investigate the matter and they found out that the security alerts “were triggered in error”. This means there was actually no attempt to access anyone’s Master Password as it was just a system error on the part of the password management service.
LastPass VP of Product Management Dan DeMichele further explained that they were most likely triggered as part of their continuing efforts to “defend its customers from bad actors and credential stuffing attempts”. After realizing this error, they have adjusted their security alert systems, although they did not go in detail what exactly was the mistake and what are the things that they did to fix it. They did reiterate some of their safety features including not storing any data about their users’ Master Passwords.
So this means that LastPass users can breathe a sigh of relief that there was no actual attempt to access their passwords. But this is also a reminder that users should take the steps available to get extra security, like enabling two-factor authentication.