A security scare cropped up late Tuesday for LastPass users when some reported receiving emails from LastPass, alerting them that LastPass had blocked unauthorized attempts to access their accounts. As first reported by AppleInsider, some LastPass members said they were notified of multiple attempted logins, using correct master passwords from various locations. LastPass confirmed the email alerts were related to an attempted credential stuffing attack — where malicious actors attempt to log in to multiple accounts with previously verified credentials — but said no master passwords were compromised.
In a statement Dan DeMichele, LastPass’ vice president of product management, said the email security alerts were sent to a limited subset of LastPass users and were likely triggered in error. DeMichele said LastPass has adjusted its security alert systems and the issue has been resolved.
“We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that users’ LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns,” DeMichele said. “However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.”
This isn’t the first time LastPass — whose source code is proprietary, rather than open-source — has faced a security scare or criticism over its privacy practices. Its most notable breach was in 2015 and is the only breach noted on LastPass’ official site. That same year, though, Asana Security Head Sean Cassidy discovered a phishing vulnerability created by a CSRF bug, and a research paper emerged detailing another CSRF bug and how LastPass’ Safari bookmarklet option was found vulnerable if users were tricked into clicking certain parts of an attacker’s site.
In 2016, two vulnerabilities were found. One was discovered by security researcher Mathias Karlsson, the other by Google Project Zero’s Tavis Ormandy, the latter of which prompted LastPass to urge users to update their browsers. In 2017, the password manager in its browser extension — the Achilles’ heel of most password managers — that could have allowed hackers to manipulate a LastPass account. This foreshadowed University of York research in 2019, which found another vulnerability that would allow malicious copycat apps to exploit LastPass’ autofill feature. Ormandy returned to LastPass scrutiny later in 2019, discovering a third browser extension vulnerability — which LastPass again resolved — that would expose login credentials you entered on a previously visited site.
In February 2021,for its use of web trackers.
Regarding Tuesday’s security scare, LastPass said it will monitor the service for unusual or malicious activity and continue to take any necessary steps to ensure user data security.
Unlike audits conducted across competitors RememBear, NordPass and open-source Bitwarden, LastPass’ independent, third-party audits are limited in their public availability. And while LogMeIn keeps a collection of audits for several of its properties, the company says its additional cloud security audit for LastPass is only available if you sign a nondisclosure agreement. Only bare-bones, organizational audits have traditionally been publicly available, along with a list of companies LastPass works with.
As a preventive security measure, LastPass users should regularly update their master password and enable multifactor authentication on their accounts. If you’ve reused your LastPass master password for any— such as or 1Password — we advise you to update those accounts as well. And remember: If you’re using a password manager, never reuse the master password for any other site, service or app.
How to update your LastPass master password
The simplest way to change your LastPass master password is by logging into your vault through LastPass’ main site. Because of the recent scare, you may be asked to confirm your identity when you first attempt to log in. If so, you’ll likely need to confirm your attempted login through an email sent to the address associated with your LastPass account. So check your inbox for a LastPass email if you run into snags while logging in.
Once you’ve logged into your vault, go to the top-right corner of the page and, just to the right of your LastPass user name, click the small inverted triangle icon to expand your account menu. Select Account Settings.
A screen will pop up. Its first tab is labelled General. Under the Login Credentials header, you’ll see a row called Master Password. Just to the right of those words, click the button labelled Change Master Password.
From here, you’ll be prompted to confirm your current master password, create your new master password, and write a clue to help you recall it in the future if necessary.
To check whether the email address associated with your LastPass account has been involved in any recent breaches, you can go to Have I Been Pwned and enter your email address in the search bar.