LastPass Says An Error, Not Hackers, Triggered Some Security Alerts

LastPass, the service that secures your individual account passwords behind a single master password, was the subject of new security concerns this week as users reported unusual activity warnings. The company initially described the warnings as likely resulting from credential-stuffing activity but has since clarified that a system error may have caused some of the alerts.

The issue

LastPass users took to social media sites this week to report that they'd received emails warning them about blocked attempts to sign in to their accounts. The number of reports rolling in from users raised questions over whether there had been a larger security breach at LastPass, though the company was quick to deny it (via Twitter).

Fueling the speculation was a seemingly related issue in which some users, including myself, received alerts warning that someone had attempted to use the account's master password, which is essentially the password for the LastPass vault. If the LastPass user set their master password as something they'd previously used on a different platform that leaked it to the wider Internet, it is possible the login attempts could be the result of credential-stuffing efforts.

However, in my case, the LastPass master password on my account was automatically generated using the browser's password generator. The master password is a long series of random characters that cannot reasonably be guessed, and, of particular importance, I have never used the password on any other account or platform.

For this reason, it is not possible my master password was previously leaked by a different service, then swept up by hackers attempting to get into accounts by credential stuffing — a term that refers to repeatedly attempting to log into accounts using known passwords and variants of them in hopes that one works.

Multiple claims surfaced on social media from users who said they, too, used unique master passwords for their LastPass accounts that weren't previously used on other platforms (1,2). In light of this, we reached out to LastPass for clarification on what may be causing these users to receive the security alerts.

One issue leads to another

According to the company, its investigation found evidence that an error may have resulted in some users receiving security warnings when there hadn't, in fact, been any attempts made to access their accounts. According to LastPass, it continued to investigate the matter after finding no evidence of a security breach, specifically looking into the cause of the automated security warnings some users were receiving.

In a statement on the matter, LastPass VP of Product Management Dan DeMichele explained:

Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.

These alerts were triggered due to LastPass's ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass' zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to users' Master Password(s).

We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.

In addition to a statement on the matter, LastPass has published a blog post detailing some of the safety features utilized as part of its system, including how its "zero-knowledge" model works and why despite that, users must be sure to use strong, unique master passwords. Users who want an extra layer of security and peace of mind should also consider enabling multi-factor authentication on their accounts to better protect them again intruders.