Many LastPass users have reported that their passwords were compromised after they received alerts through email telling them that someone from an unknown location attempted to log in to their accounts.
The email notifications also state that the login attempts were blocked because they were made from unknown locations worldwide.
“Someone just used your master password to try to log in to your account from a device or location we didn’t recognize,” the login alert says.
“LastPass blocked this attempt, but you should take a closer look. Was this you?”
Reports of compromised LastPass master passwords have been circling in online platforms such as Twitter, Reddit, and Hacker News.
The website Bleeping Computer reports that LogMeIn PR/AR Senior Director Nikolett Bacso-Albaum told them that “”LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.”
Bacso-Albaum also added that “It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure”.
However, users of LastPass who received these warnings have said that their passwords were only used to log in to LastPass and not used elsewhere. As per Bleeping Computer, it has contacted LastPass regarding these concerns but have yet to receive a reply.LastPass users are advised to enable multifactor authentication in order to protect their accounts even if their master password was compromised.
