The warning messages were sent in error.
What you need to know
- LastPass has denied reports that there were unauthorized login attempts to some accounts.
- The recent security alerts received by some users were apparently triggered in error.
- Some LastPass users received emails this week warning them about failed login attempts.
LastPass users can welcome the incoming year with peace of mind after all. A LastPass executive confirmed that no accounts had been compromised following multiple reports from users claiming they’d been notified of failed unauthorized logins.
The reports were first spotted by AppleInsider in the Hacker News forum. According to the alerts they received, some unauthorized third parties attempted to access their accounts from various parts of the world, such as Brazil. Fortunately, those attempts were thwarted because of the suspicious geographic origin.
Most of the LastPass accounts that got the alert appear to be outdated. Furthermore, the developers behind one of the best password managers for Android told AppleInsider that the login attempts were related to “credential stuffing.” This activity is used by bad actors to gain access to user accounts using details obtained from other services that were involved in a previous third-party breach.
In a statement posted on LastPass’ official Twitter account, LastPass vice president of product management Dan DeMichele said the warning message was likely sent by mistake. “Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved,” he said.
That said, LastPass assures customers that it continues to monitor the situation. It also maintains that there’s currently no evidence pointing to compromised accounts.
The company’s statement may be enough to allay the fears of users who may have panicked after receiving the alert. However, it won’t hurt to remain vigilant and bolster their password manager’s security measures.