According to AppleInsider, LastPass claims there is no proof of a data breach after customers reported being warned of unwanted login attempts. The password manager claims that it has never been hacked and that criminal actors have never gained access to customers’ accounts.
The Verge was initially told by Nikolett Bacso-Albaum, the senior director of LogMeIn Global PR, that the alerts users received were related to “fairly common bot-related activity,” involving malicious attempts to log in to LastPass accounts using email addresses and passwords gathered from previous breaches of third-party services (i.e. not LastPass).
“It’s crucial to stress that we have no evidence that accounts were successfully accessed or that the LastPass service was otherwise hacked,” Basco-Albaum stated. “We monitor for this sort of behavior on a regular basis and will continue to take efforts to ensure that LastPass, its users, and their data are safe and secure.”
LastPass vice president of product management Dan DeMichele sent a comment to The Verge late Tuesday night, saying that at least some of the warnings were “likely generated in error” owing to an issue that LastPass has now rectified.
After a LastPass user posted about the problem on the Hacker News site, reports began to surface. LastPass alerted him to a login attempt from Brazil using his master password, he alleges. Other people instantly reacted to the message, stating that they had had a similar experience. Some were also warned of an effort from Brazil, as the original poster (@technology greg) points out in a tweet, while additional attempts were tracked back to other nations. This, obviously, aroused fears of a security vulnerability.
Even if LastPass wasn’t hacked, it’s still a smart idea to protect your account using multifactor authentication, which uses other sources to confirm your identity before you log in.