LastPass Blunder Causes Security Scare

Users of popular password manager tool LastPass have reported worrying emails that suggest their master passwords have been compromised. LastPass says the emails may have been sent mistakenly and that it has no evidence of any security breach.

Like most such tools, LastPass let users create a single memorable password, the name coming from the idea it's the "last password" users will ever need to remember. This password is necessary to unlock a private vault of stored encrypted passwords for other sites.

One of the big keys to the service is that LastPass itself has no access to the master password, theoretically removing any risk that it can be breached and in turn expose the user's details for other sites.

Several users have now reported receiving an email from LastPass reading:

Login attempt blocked / Hello, Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.

Attacks Unsuccessful

LastPass has confirmed the emails are genuine rather than a phishing attack that, for example, might take users to a bogus site in the hope of them typing in their master password.

The emails appear to have been sparked by a suspicious pattern on automated login attempts using a list of emails and passwords from breaches elsewhere. LastPass initially responded by stressing that the attacks appeared to be completely unsuccessful. (Source: ghacks.net)

The problem is that the wording of the email certainly suggests that the attackers correctly input the master password and it was only LastPass systems spotting suspicious activity that stopped them getting into people's accounts. That prompted widespread speculation of how the attackers got hold of the correct master passwords for specific accounts.

Message Was Mistaken

LastPass now says it has "since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved." (Source: bleepingcomputer.com)

In other words, attackers did target LastPass customers, but the company's systems sent out the wrong alert. The attackers were almost certainly trying to access accounts using stolen email/password combinations from other sites in the hope of finding users who'd re-used one of those passwords as their LastPass master password. That mistakenly triggered an alert that wrongly suggested the attackers had successfully discovered the master password.

If nothing else, it's a reminder that while password managers can be very useful, users should always create a unique master password that they've never used on any other site. It's also worth considering a balanced approach where the password manager stores details for most sites, but isn't used for the most sensitive accounts such as email and financial accounts.

What's Your Opinion?

Do you use a password manager? Do you trust that your master password is totally secure? Does LastPass's explanation make sense?