Did LastPass get hacked?
A number of users of the popular password manager recently received emails from the company warning them of suspicious login attempts that were utilizing their master password—never a great sign. Some users also claimed that they hadn’t shared their password with any other platform except LastPass, and speculation soon spread that the company may have suffered a data breach that exposed login credentials—thus allowing for the malicious activity to take place.
The news first blew up on the popular forum Hacker News before spreading to Twitter:
Password managers—which are handy tools to store all your web credentials in one centralized, supposedly secure, location—have been known to have serious security vulnerabilities, the likes of which could hypothetically lead to hacking incidents. LastPass has had its fair share of these issues, actually. In some cases—like with Passwordstate this past summer—the results of such security deficiencies can be fairly disastrous.
In this particular case, where users’ master passwords were compromised (master PWs are used to login to the manager itself and thus access the rest of a user’s passcodes) the inclination to believe that the company somehow messed up is strong.
But is there any validity to the claims against LastPass? According to LastPass itself, the answer is: We don’t think so. When reached for comment by Gizmodo, the company provided us with a statement blaming the irregular activity on “credential stuffing” attempts by some unknown threat actor:
LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.
The company goes on to claim that it hasn’t seen any evidence of actual hacking of its servers or even compromise of individual accounts:
It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
So, according to the company, they haven’t seen any evidence that they leaked users’ data, or that a hacker has even successfully gotten its hooks into users’ accounts. If you’re a LastPass user and that sounds like cold comfort, a good step to take would probably be to activate multi-factor authentication. MFA can add an extra layer of protection against credential-stuffing and other, similar kinds of attacks, so it’s probably a good thing to do, regardless.