After getting email notifications that someone tried to enter their accounts from unknown locations, several LastPass users claim their master passwords have been hacked. According to email warnings, the login attempts were also denied because they were attempted from unknown locations around the world.
“Someone just used your master password to try to log in to your account from a device or location we didn’t recognize,” as stated in the login alerts warning. “LastPass blocked this attempt, but you should take a closer look. Was this you?”
Multiple social media sites and internet platforms, including Reddit, Twitter, and Hacker News (initial report from Greg Sadetsky), are reporting hacked LastPass master passwords.
Users who have received these warnings, on the other hand, have said that their passwords are unique to LastPass and are not used anywhere else. LastPass has been asked about these concerns, but a reply is still awaited.
While LastPass provided no information about the threat actors behind these credential stuffing efforts, security researcher Bob Diachenko recently discovered thousands of LastPass credentials while reviewing Redline Stealer malware logs. LastPass clients who got similar login notifications claimed that their emails were not included in Diachenko’s list of login pairs obtained by RedLine Stealer.
It suggests that threat actors behind takeover attempts employed another method to gain their targets’ master passwords, at least in some of these reports. Some users have also reported changing their master passwords after receiving the login warning, only to get another notice after doing so.
Customers who attempted to disable and delete their LastPass accounts after seeing these warnings have reported [1, 2] obtaining “Something went wrong: A” errors after pressing the “Delete” button. Users of LastPass should enable multifactor authentication to secure their accounts even if their master password has been hacked.
