Hackers trying to access LastPass accounts — what to do

LastPass Logo
(Image credit: LastPass)

Despite it no longer offering a free tier, LastPass remains one of the best password managers, which also makes it a likely target for hackers. A number of users reported that they received warnings that their LastPass master passwords have been compromised, though as in many other cases of this ilk, it appears to be the result of them having re-used passwords, or having their passwords exposed elsewhere.

First appearing in Hacker News, it seems that a number of these attempted breaches originated in Brazil and other parts of the world; due to the unusual origin of these requests, LastPass blocked these attempts and then emailed the legitimate customers, warning that their passwords may have been compromised. 

In a statement to Android Police, LastPass owner LogMeIn said:

"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."

Even if hackers were able to breach LastPass itself, it's highly unlikely that they'd be able to access users' master passwords. That's because LastPass's servers don't store your master password. Instead, they store a "hash" of the master password, which means the master password you type in is run through an algorithm on your device and the result of the algorithm is compared to what LastPass has previously stored.

What to do if your LastPass master password has been compromised

If you received a warning from LastPass that someone attempted to log into your account — or if you want to make it more difficult for hackers to break into your account — there's a few steps you should take right away. 

  • Change your LastPass master password to one that you don't use elsewhere.
  • LastPass users can minimize the risk of compromise by enabling two-factor authentication in their Account Settings > Multifactor Options.
  • Because many of these unauthorized login attempts seem to be coming from Brazil or South Africa, restricting logins to only specific countries should block some of the attempts. Go into Account Settings, click the "Show Advanced Settings" button on the bottom of the Settings window, scroll down and select "Only allow login from selected countries" and then check off the country where you live and those countries that you may frequently visit. Click "Update" when done.
  • If you're worried about failed login attempts to your account, go into Advanced Options from the main menu's navigation bar, then select "View Account History." That will let you view all login attempts, successful or not, over a specific date range. You'll want to look for login attempts from unfamiliar IP addresses that don't match those that you normally use. The IP addresses you normally use will be the vast majority of the successful logins, and those IP addresses that don't match should stand out.

While it's good to know that no accounts were compromised, it's an important reminder as to why having unique passwords are so critical. Using the same password too many times can be a major vulnerability. Now would be a good time to make sure that all your passwords are unique and secure. Web browsers like Google Chrome, Firefox and Microsoft Edge all have features that can warn you if any of your passwords have been breached and can suggest new passwords as well.

Mike Prospero
U.S. Editor-in-Chief, Tom's Guide

Michael A. Prospero is the U.S. Editor-in-Chief for Tom’s Guide. He oversees all evergreen content and oversees the Homes, Smart Home, and Fitness/Wearables categories for the site. In his spare time, he also tests out the latest drones, electric scooters, and smart home gadgets, such as video doorbells. Before his tenure at Tom's Guide, he was the Reviews Editor for Laptop Magazine, a reporter at Fast Company, the Times of Trenton, and, many eons back, an intern at George magazine. He received his undergraduate degree from Boston College, where he worked on the campus newspaper The Heights, and then attended the Columbia University school of Journalism. When he’s not testing out the latest running watch, electric scooter, or skiing or training for a marathon, he’s probably using the latest sous vide machine, smoker, or pizza oven, to the delight — or chagrin — of his family.

TOPICS