Users of the LastPass encrypted password manager are on edge after word spread that some customers received alerts that their credentials were being used by an unauthorized third party to get into their systems.
On Tuesday LastPass said “some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.”
“Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,” Gabor Angyal, the company’s senior director of engineering, said in a blog.
“We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”
“At no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s),” he added.
The alerts have made some LastPass users worry that far from this being a credential stuffing attack, their usernames and passwords have in some way been compromised, reports the Bleeping Computer news service.
It quotes security researcher Bob Diachenko tweeting that he recently found thousands of LastPass credentials while going through Redline Stealer malware logs. However, the news site was also told by LastPass customers who received login alerts that their emails were not in the list of login pairs harvested by RedLine Stealer that were found by Diachenko.
LastPass, which sells a password manager for enterprises as well as individuals, reminds users of the importance of using a complex, unique password as their master password for logging into the application, and protecting that login with multi-factor authentication.