Credential stuffing attack spooks LastPass users

Users of the LastPass encrypted password manager are on edge after word spread that some customers received alerts that their credentials were being used by an unauthorized third party to get into their systems.

On Tuesday LastPass said “some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.”

“Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,” Gabor Angyal, the company’s senior director of engineering, said in a blog.

“We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”

“At no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s),” he added.

The alerts have made some LastPass users worry that far from this being a credential stuffing attack, their usernames and passwords have in some way been compromised, reports the Bleeping Computer news service. 

It quotes security researcher Bob Diachenko tweeting that he recently found thousands of LastPass credentials while going through Redline Stealer malware logs. However, the news site was also told by LastPass customers who received login alerts that their emails were not in the list of login pairs harvested by RedLine Stealer that were found by Diachenko.

LastPass, which sells a password manager for enterprises as well as individuals, reminds users of the importance of using a complex, unique password as their master password for logging into the application, and protecting that login with multi-factor authentication.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.