LastPass VPs say ‘no indication’ of accounts compromised or credentials harvested after reports

Two LastPass vice presidents have released statements about the situation surrounding LastPass security issues that came to light this week. 

Two days ago, hundreds of LastPass users took to Twitter, Reddit and other sites to complain that they were getting alerts about their master password being used by someone that was not them. Some reported that even after changing their master password, someone tried to access their account again. 

On Tuesday, the company released a brief statement noting that their security team observed and received reports of potential credential stuffing attempts.

“While we have observed a small uptick in this activity, we are utilizing multiple technical, organizational, and operational methods designed to protect against credential stuffing attempts. Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn were breached or compromised,” wrote Gabor Angyal, VP of engineering at LastPass. 

On Wednesday, the company expanded Angyal’s statement, explaining that they recently investigated reports of an uptick of users receiving blocked access emails, normally sent to users who log in from different devices and locations. 

Their initial findings led them to believe that these alerts were triggered in response to attempted ‘credential stuffing’ activity. 

“We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns,” Angyal’s new statement said. 

“However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.” 

Angyal noted that at “no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s).”

LastPass VP of product management Dan DeMichele sent out a notice to multiple outlets with the same information that was shared in the updated statement from Angyal. 

Some online were not assuaged by the statement, noting the qualifiers used that prompted more questions. 

Craig Lurey, CTO of password manager Keeper, said that what is so concerning about credential stuffing attacks is that they prey on a highly prevalent problem among consumers right now: breach fatigue. 

“With a slew of breaches and alerts throughout 2021, consumers have become apathetic to compromised accounts. In fact, a recent survey from the Identity Theft Resource Center revealed that 16% of breach victims take absolutely no action to re-secure their accounts,” Lurey said. 

“In their minds, the ‘data is already out there,’ the hacked organization will take care of it, they don’t know what to do, or, ironically, they dismiss the notification as a scam. This apathy is what cybercriminals thrive on and is why we can expect to see a rise in credential stuffing alerts.”

Due to the concerns over master passwords, Perimeter 81 CEO Amit Bareket suggested using biometric authentication or MFA for master passwords with managers like LastPass. 

Parent company LogMeIn announced just two weeks ago that it is spinning off LastPass into its own company.