On the web, the thing that differentiates a legitimate user from an impostor who wish to log into an account, is the former's knowledge of the account's login credential.
LastPass is a popular password manager that stores users passwords, to then encrypt them and store them online for their convenience. This way, it acts as a handy tool to store all users' web credentials in one centralized, supposedly secure, location.
LastPass has had its fair share of these issues, and this time, a number of users said that they received emails from the company warning them of suspicious login attempts that were utilizing their master password from various locations around the world
Making things even more worrisome, some of the users also claimed that they hadn’t shared their password with any other platform except LastPass.
Because of this, people began to speculate that LastPass may have suffered a data breach that exposed its users' login credentials, which allowed the malicious activity to take place.
The news was first spread on the forum Hacker News before spreading to Twitter.
According to LastPass itself, its system was not breached.
The company investigated the reports of blocked login attempts, and in a blog post, said that it believed the activity is related to attempted "credential stuffing" activity, in which a malicious or bad actor attempts to access user accounts using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.
LastPass continued to say that it hasn’t seen any evidence of actual hacking of its servers or even compromise of individual accounts.
"It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party," said the company.
"We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."
In a follow up statement, Dan DeMichele, LastPass' VP of Product Management, said that the email security alerts were sent to a limited subset of LastPass users and were likely triggered in error.
DeMichele said that LastPass has adjusted its security alert systems and the issue has been resolved.
"We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that users' LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns," DeMichele said.
"However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems."
LastPass' source code is proprietary rather than open-source, preventing anyone from having a peek into the way it works.
While this makes it a bit secure in its own way, it also prevents security audits to be conducted by third parties.
LastPass' independent, third-party audits are only limited in their public availability.
Regardless, LastPass is a powerful tool, and this is one of the reason for its popularity.
For those users who are concerned about their passwords, they may change their passwords regularly as a preventive security measure in case anything goes wrong.
In fact, LastPass users should regularly update their master password with a strong password, and enable multifactor authentication on their accounts.
LastPass also suggests users to never re-use their passwords.
"Re-using passwords is known to be a common (and dangerous) practice, and often leads to one third-party breach creating secondary risk of additional unauthorized account access," the company said.