LastPass VPs confirm 'no indication' of compromised accounts after security alerts

LastPass VP Gabor Angyal said some of the security alerts that initially caused concern were "likely triggered in error."
Written by Jonathan Greig, Contributor

Two LastPass vice presidents have released statements about the situation surrounding LastPass security issues that came to light this week. 

Two days ago, hundreds of LastPass users took to Twitter, Redditand other sites to complain that they were getting alerts about their master password being used by someone who was not them. Some reported that even after changing their master password, someone tried to access their account again. 

On Tuesday, the company released a brief statement noting that its security team observed and received reports of potential credential stuffing attempts. Credential stuffing involves attackers stealing credentials (usernames, passwords, etc.) to access users' accounts.

"While we have observed a small uptick in this activity, we are utilizing multiple technical, organizational, and operational methods designed to protect against credential stuffing attempts. Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn were breached or compromised," wrote Gabor Angyal, VP of engineering at LastPass. 

On Wednesday, the company expanded Angyal's original statement, explaining that it recently investigated reports of an uptick of users receiving blocked access emails, normally sent to users who log in from different devices and locations. The company's initial findings led it to believe that these alerts were triggered in response to attempted "credential stuffing" activity. 

Angyal's Wednesday statement said, "Out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved." 

Angyal noted that at "no time does LastPass store, have knowledge of, or have access to a user's Master Password(s)."

LastPass VP of product management Dan DeMichele sent out a notice to multiple outlets with the same information that was shared in the updated statement from Angyal. 

Some online were not assuaged by the statement, noting the qualifiers used that prompted more questions. 

Craig Lurey, CTO of password manager Keeper, said that what is so concerning about credential stuffing attacks is that attackers prey on a highly-prevalent problem among consumers right now: breach fatigue. 

"With a slew of breaches and alerts throughout 2021, consumers have become apathetic to compromised accounts. In fact, a recent survey from the Identity Theft Resource Center revealed that 16% of breach victims take absolutely no action to re-secure their accounts," Lurey said. 

"In their minds, the 'data is already out there,' the hacked organization will take care of it, they don't know what to do, or, ironically, they dismiss the notification as a scam. This apathy is what cybercriminals thrive on and is why we can expect to see a rise in credential stuffing alerts."

Due to the concerns over master passwords, Perimeter 81 CEO Amit Bareket suggested using biometric authentication or MFA for master passwords with managers like LastPass. 

Parent company LogMeIn announced just two weeks ago that it is spinning off LastPass into its own company. 

Editorial standards