LastPass Says It Didn’t Leak Your Password

LastPass Says It Didn’t Leak Your Password
Photo: Leon Neal, Getty Images

Did LastPass get hacked?

Some users of the popular password manager recently received emails from the company warning them of suspicious login attempts that were utilising their master password — definitely never a great sign. Speculation soon spread that LastPass may have suffered a data breach that exposed users’ credentials, thus allowing for the malicious activity to take place.

The news first blew up on the popular forum Hacker News before spreading to Twitter:

Password managers — which are handy tools to store all your web credentials in one centralised, supposedly secure, location — have been known to have serious security vulnerabilities, the likes of which could hypothetically lead to hacking incidents. LastPass has had its fair share of these issues. In some cases — like with Passwordstate this past summer — the results of such security deficiencies can be fairly disastrous.

In this particular case, where users’ master passwords were compromised (master PWs are used to login to the manager itself and thus access the rest of a user’s passcodes) the inclination to believe that the company somehow messed up is strong.

But is there any validity to the claims against LastPass? According to LastPass itself, the answer is: We don’t think so. When reached for comment by Gizmodo, the company provided us with a statement blaming the irregular activity on “credential stuffing” attempts by some unknown threat actor:

LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.

The company goes on to claim that it hasn’t seen any evidence of actual hacking of its servers or even compromise of individual accounts:

It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorised party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.

So, according to the company, they haven’t seen any evidence that they leaked users’ data, or that a hacker has even successfully gotten its hooks into users’ accounts. If you’re a LastPass user and that sounds like cold comfort, a good step to take would be to activate multi-factor authentication as an additional protection — probably a good thing to do anyway.