LastPass users worldwide were frightened after a message was sent to their respective emails about their master passwords being accessed by unknown threat actors from unrecognised locations. However, the access attempts were immediately blocked as a safety precaution since they came from unidentified locations.
Stories of similar LastPass master passwords being compromised were seen posted by affected users on several social media sites, including Reddit and Twitter.
LastPass is a popular password manager worldwide that offers secured password storage for its users that can be easily accessed across all devices anywhere and at any time.
According to a statement released by a spokesperson, the LastPass security team has investigated the incident and found that a common bot-related malicious activity had caused it wherein threat actors tried to access LastPass user accounts using their email addresses and passwords acquired from third-party breaches from other unaffiliated platforms.
They also assured worried clients that their LastPass accounts were safe from any breach, despite the unauthorised access attempts. Their security team routinely monitored all activities within the platform and said that they would further enhance their services to protect all clients and their data.
Some users revealed that their master passwords are unique only to LastPass, so they are unconvinced that the hackers obtained them from third-party platforms.
The LastPass team has not yet responded to users’ appeals, and they also refused to share details about the hackers who conducted the unauthorised login attempts.
Another researcher also revealed that they discovered thousands of LastPass user credentials within Redline Stealer malware logs during a routine search. Nonetheless, those users who received email alerts about the unauthorised logins said they were not included inside the login pairs found in Redline Stealer malware logs discovered by the researcher.
Experts conclude from these findings that threat actors might have another vector for obtaining the affected users’ login credentials to steal their master passwords. For this reason, many users began changing their master passwords to be safe from security breach threats; yet they received another email alert about unauthorised login from an unknown location.
The affected users became extra worried about the incident, so they tried to delete their LastPass accounts – only to receive warnings that they could not proceed from account deletion for unknown reasons.
In the meantime, experts recommend that all LastPass users enable multifactor authentication to guard themselves against unauthorised login attempts from hackers that try to steal their master passwords.