“LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted ‘credential stuffing’ activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,” LastPass spokesperson Meghan Larson told us. “It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”
Wow… 2 things come to mind:
- multiple attempts; which would mean it is a directed and concerted effort to hack LastPass accounts
- master passwords; I would imagine Master Passwords are unique and not like anything used elsewhere as they would thus defeat the purpose of having LastPass or any password manager at all.
That said it is hard to believe master passwords would be successful with credential stuffing as LastPass would want to make us believe.
Another reason to always switch on 2FA and preferably also have a YubiKey or something attached to your password manager.
This is why I stuck with 1Password as they do 2FA, YubiKey and also have a Secret Key, which renders the master password alone useless.
It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed
Yup saw that and hope it’s right.
Fingers crossed no one gets caught out using a multi-use master password. If so, why have a password manager?
But at least it’s not an electron app
I don’t know why people would reuse a master password. Well I hope it’s “credential stuffing” and not something with lastpass
To me that’s irrelevant, because it’s not even a question of whether it’s possible - it’s known that it is. It’s just a question of whether it happened in this case.
If it can happen, it almost certainly will - it’s just a matter of when.
I bet master password reuse is high. People cannot help themselves. One reason I like the additional secret key method is it assumes people will be lazy with their password and gives them a second one that they can’t set themselves.
I understand the value of a yubikey, but I’ve had 2FA devices fail and am hesitant to rely on them again. Also, it would complicate end of life planning.
The secret key did not come into use until 1Password.com went subscription and started storing your passwords on their server. Then they killed local vaults. So now everyone needs two passwords to access their stuff. They should change their name to 2Password.com
I always register 2 hardware keys and only if there are also account recovery codes available. Instructions for EOL and access to keys have all been accounted for.
Sounds like you got things covered.