LastPass Claims No User Data Compromised After Data Leak Scare

Many LastPass users believe that their information may have been exposed in a data leak, but LastPass says it’s not the case.

Numerous people have reported unusual activity with their LastPass accounts — both on Twitter and online forums, and everyone has been saying the same thing: that they received an email from LastPass stating that somebody had used their master password (which is the one used to access all their stored passwords) to try to log in to their LastPass account. As stated in the Tweet below by @technology_greg, the login attempts seemed to come from IP addresses in Brazil.

@technology_greg — one of the first people to sound the alarm about a potential security incident.

All reports, across both Twitter and online forums, as AppleInsider reported, are by people who haven’t changed their master password, or even used their LastPass account in a very long time. This is a strong indication that the password list the hacker has access to (if this is the case) was not leaked recently.

Clarification on the incident from LastPass

It was initially believed — even by LastPass — that these unauthorized login attempts could have been the result of a credential snuffing attack. A credential snuffing attack occurs when a cybercriminal uses bots to launch automated login requests using stolen login credentials, often on a large scale. However, in LastPass’ most recent statement on the incident, the company clarified that this is not what happened:

“We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”

Further in the statement, the company said that it believes the emails were sent to users by mistake, stating:

“we continued to investigate [the issue] in an effort to determine what was causing the automated security alert emails to be triggered from our systems” and that “these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error.”

With LastPass providing clarification on the situation, many people will be adequately reassured that the service is safe and secure. However, if you’re one of the people who are searching for alternative password managers, you will definitely want to check out this article — and specifically the “Premium password manager picks” section.