No data leak: Login warnings of the password manager LastPass

Threat Alert

Users of the password management software LastPass reported last week that they received emails from the company about unauthorized login attempts using their individual master password. LastPass took a stand on what happened and assured that no user information had been shared with third parties.

What happened?

On December 28, 2021, users of the password manager LastPass alerted the Hacker News platform that they had received emails from the service provider informing them of blocked login attempts using their master password at unusual locations. The emails had no typical characteristics of phishing emails and appeared to be authentic. Suspicions were raised that LastPass had fallen victim to a data leak and was sharing information with unauthorized third parties.

After a thorough review of the unusual activity, LastPass assured that no user data had been compromised, nor had the service provider fallen victim to a malware attack or phishing campaign. Bot activity was instead suspected to be behind what had happened.

Further investigation eventually revealed that the sending of the emails was due to a bug in the alerting system. A limited number of LastPass users had mistakenly received automated security alerts from the company that were unfounded.

LastPass adjusted its security alert systems in response to the incident, assuring that by using the zero-knowledge security model, users’ master passwords would not be stored on the company’s servers at any time.

What can I do?

Always use strong passwords and never use them more than once for different applications.
If you use the master password of your password manager for other applications or tools as well, adjust this immediately.
In any case, you should activate two-factor authentication, especially as a user of a sensitive tool like a password manager. This way, you can make sure that unauthorized people do not gain access to your systems.
If you suspect that your password has been compromised, change it immediately! The rule here is: better safe than sorry.