Despite it no longer offering a free tier, LastPass remains one of the best password managers, which also makes it a likely target for hackers. A number of users reported that they received warnings that their LastPass master passwords have been compromised, though as in many other cases of this ilk, it appears to be the result of them having re-used passwords, or having their passwords exposed elsewhere.
First appearing in Hacker News (opens in new tab), it seems that a number of these attempted breaches originated in Brazil and other parts of the world; due to the unusual origin of these requests, LastPass blocked these attempts and then emailed the legitimate customers, warning that their passwords may have been compromised.
In a statement to Android Police (opens in new tab), LastPass owner LogMeIn said:
"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."
Even if hackers were able to breach LastPass itself, it's highly unlikely that they'd be able to access users' master passwords. That's because LastPass's servers don't store your master password. Instead, they store a "hash" of the master password, which means the master password you type in is run through an algorithm on your device and the result of the algorithm is compared to what LastPass has previously stored.
What to do if your LastPass master password has been compromised
If you received a warning from LastPass that someone attempted to log into your account — or if you want to make it more difficult for hackers to break into your account — there's a few steps you should take right away.
- Change your LastPass master password to one that you don't use elsewhere.
- LastPass users can minimize the risk of compromise by enabling two-factor authentication in their Account Settings > Multifactor Options.
- Because many of these unauthorized login attempts seem to be coming from Brazil or South Africa, restricting logins to only specific countries should block some of the attempts. Go into Account Settings, click the "Show Advanced Settings" button on the bottom of the Settings window, scroll down and select "Only allow login from selected countries" and then check off the country where you live and those countries that you may frequently visit. Click "Update" when done.
- If you're worried about failed login attempts to your account, go into Advanced Options from the main menu's navigation bar, then select "View Account History." That will let you view all login attempts, successful or not, over a specific date range. You'll want to look for login attempts from unfamiliar IP addresses that don't match those that you normally use. The IP addresses you normally use will be the vast majority of the successful logins, and those IP addresses that don't match should stand out.
While it's good to know that no accounts were compromised, it's an important reminder as to why having unique passwords are so critical. Using the same password too many times can be a major vulnerability. Now would be a good time to make sure that all your passwords are unique and secure. Web browsers like Google Chrome, Firefox and Microsoft Edge all have features that can warn you if any of your passwords have been breached and can suggest new passwords as well.