In the last 24 hours people have started reporting worrying attempts from unknown IPs to log in to their LastPass account with their master password. LastPass are referring to it as a credential stuffing attack, but the lengthy Hacker News thread where it first surfaced (linked in this article) suggests it might be more than that.
I have a password with LastPass that I have never used anywhere else. It’s quite long, on the order of 30 characters. And I have never been phished or otherwise uncareful with my password. If I get such a warning from them, then I know they have a serious problem somewhere. I would enable 2 factor if they didn’t charge extra for that feature.
EDIT: I checked, and I haven’t received any warning emails, thankfully.
Yes, I always had my LastPass account connected to my Yubikey, so that without that, nobody could log onto my account. And likewise, if they got the key, they still needed my username and password.
As I used LastPass for the whole family, I was worth the money, which also gave me 2FA.
I have since switched to 1Password. It works better, but has one minor drawback for family accounts, you can’t give somebody a dead-man’s switch access to your account. That has been done with emergency OTPs in a safe.
Just to add, 2FA should be a standard requirement of such a service these days, it is unforgivable that it is a cost plus service.
I had 2FA on my Last Pass account, but since I no longer use it went in and deleted it.
I’ve been monitoring this since I saw the thread on Hacker News. It’s a bit of a mystery but I’m glad I’m using BitWarden these days. And, fortunately, deleted my Lastpass Vault some months ago (which caused a big problem with all my shared passwords - just FYI - Lastpass does not copy shared items to the recipient’s vault. It’s just a soft link to the items in your own vault. That’s ugly.)
2FA (not with Lastpass) to the rescue. Yubikey especially as @big_D notes.
Just realized I should clarify, I deleted my LastPass account, not the 2FA. I use 2FA on everything I can.
With a totally unique password that I’ve never used anywhere else and 2FA, I’m not worried. Let them try to brute force their way into my account. It also helps that I use unique e-mail addresses whenever I sign up for other sites…so if, for example, Target gets hacked (again), they may know the e-mail and/or password I used for Target but neither of those would do them any good anywhere else. (It also helps because if I start getting spam at my Target e-mail, I know who leaked it and can take appropriate action.)
Lastpass says it’s credential stuffing - a master password that was used elsewhere. If that’s the case there’s nothing to fear. It does seem odd that someone would re-use a master password, but I guess people do.
The original Hacker News thread is here: Ask HN: How did my LastPass master password get leaked? | Hacker News
One presumes, if you use the same email address with your LastPass that you use elsewhere, it could have leaked. Now if you also use a seriously weak password with your LastPass account, it might be possible to attempt to brute force the password? I don’t know what protections LastPass has on random processes requesting arbitrary blocks of data and then attempting to decrypt them with a guessed, low quality, password? One presumes that is the plug-in can request blocks to validate your password, that so can an attacker.
Of course none of us can say anything but “it has” or “it has not” happened to me. All I would expect to hear here, among TWiT listeners, is that it has not happened. I use an email specific to LastPass for example, that I have never used anywhere else. (Along with a password unique to it, that has never been used anywhere else.)
But you, and I, are not normal. Most people can’t do that or don’t know how to do that.
This prompted me to finally delete my LastPass account as I’ve been using Bitwarden for a while now. Followed the instructions…and got an error It won’t let me login now - but has it deleted my data?
The reply from LastPass support in this Twitter conversation suggests that the data has been deleted. Hope that’s reassuring.
Posts like this one in the HN thread (a looong way down) made me wonder if it could be more than just credential stuffing using old stolen details:
Or it could just be that the “Was this you” message was being generated in error. But given what it’s supposed to be alerting you to, I think I’d want to see a really specific and open explanation of how that had occurred before I’d feel like trusting that these were false positives.
I had a Lastpass for 9 years some of which as a premium user. When this story occurred I decided to change my master password via the web UI. My new password adhered to all the requirements yet every time I tried I was told the password was not changed. Since the account was no longer being used on a regular basis I decided to simply axe the account. Even that resulted in a stupid error message:
“Something went wrong. : A”
The account was in fact deleted and I am not the only one that has been seeing false error messages when they tried to delete their accounts.
Lastpass has gravitated to corporations where the big $ is and with the recent news that they are being spun off as a separate company, I would not be surprised if they are either preparing for an IPO or being sold again.
That sounds the same as the Twitter conversation I linked to earlier, where the error is triggered by still being logged in to the account you’re deleting on some other (possibly historic) device. Not very reassuring that the error condition was presumably never identified or programmed for, hence the meaningless generic message.
Being a free Lastpass user at the time I had to rely only on the Lastpass community rather than being able to contact Lastpass support directly. I was told to make sure I was signed out of all other sessions via a command in the web UI which I did. That did not help. Was glad when I attempted to login into the account after that error message to be told that the account did not exist. Sad to see my 9 year relationship with Lastpass come to an end along with it the promoting of the service to family and friends.
I saw people saying that emphatically that their master password was unique and had not been used elsewhere. For years I had restricted Lastpass to only allow logins from my country. It seems that Lastpass was blocking these requests even though these people never enable this feature in their account.
I noticed that there were several updates to the BleepingComputer story including this one:
Update December 29, 03:37 EST: In an update to the original statement, LastPass VP of Product Management Dan DeMichele told BleepingComputer that some of the login warnings were likely sent in error.
Sadly the company and their code has really gone down hill. I apologize to all the people who signed up because of us. All I can say is that they used to be really great. And maybe better days are to come now that they’re being spun off from LogMeIn.
Leo, stop kicking yourself. Back in the day, LastPass was a great product. You could never have predicted what would happen in the future. Plus, as I recall, you personally have said that they saved you guys in 2020 when they purchased studio naming rights when other advertisers pulled out due to the pandemic.
While the LastPass of today is different, don’t blame yourself for recommending a product back in the day that was secure and solved a necessary need.
Things change. While LastPass wouldn’t be my recommended product today, doesn’t mean I wasn’t a happy user back in the day.
I’ll second that. I was a paying customer for years and it was a great product. But the last 18 months have seen it go downhill, unfortunately.