Several LastPass users have claimed their master passwords have been used by unauthorized individuals to access their password vaults, including individuals who claim never to have shared their master password with any other platform, which led to claims there had been LastPass data breach. The first attacks on users’ password vaults appear to have started on Monday, December 27, 2021.
A password manager allows users to easily create strong, unique passwords for all their accounts and never have to remember those passwords. Passwords are salted, hashed, and encrypted in a password vault that can only be accessed with a master password. The master password is the only password that users of password managers have to remember.
Since the master password may be all that stands between an attacker and a users’ entire collection of passwords, the master password should be long and complex, a passphrase for example, that is not used anywhere else. It is also important to enable multifactor authentication. If a master password is somehow compromised, multifactor authentication should prevent the username and password from granting access to the account.
A password manager data breach is therefore a very big deal; however, LastPass has investigated the claims and announced that there has been no data breach at LastPass. Instead, LastPass said a threat actor has been conducting credential stuffing attacks on some of its users to gain access to their password vaults.
Credential stuffing attacks can be highly effective, but they are reliant on individuals reusing passwords on multiple platforms. An attacker uses combinations of usernames and passwords that have been obtained in third-party data breaches and attempts to gain access to user accounts. These attacks are usually performed on email accounts, online shopping sites, and social media accounts, as access to those accounts is easy to monetize and users are more likely to reuse passwords on those accounts.
The attacks so far have affected tens of users and have involved an IP address, mostly IP addresses in Brazil, using the correct master password to try to access users’ vaults. LastPass has confirmed it is now blocking attempts using a correct master password from a foreign IP address from accessing users’ vaults.
“It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party,” said LastPass in a statement. “We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”
However, security researcher Bob Diachenko suggested this may not be a credential stuffing attack, as thousands of LastPass login pairs were recently identified in Redline Stealer malware logs.