LastPass says no passwords compromised in latest security scare

From CNET: A security scare cropped up late Tuesday for LastPass users when some reported receiving emails from LastPass, alerting them that LastPass had blocked unauthorized attempts to access their accounts. As first reported by AppleInsider, some LastPass members said they were notified of multiple attempted logins, using correct master passwords from various locations. LastPass confirmed the email alerts were related to an attempted credential stuffing attack -- where malicious actors attempt to log in to multiple accounts with previously verified credentials -- but said no master passwords were compromised.

In a statement Dan DeMichele, LastPass' vice president of product management, said the email security alerts were sent to a limited subset of LastPass users and were likely triggered in error. DeMichele said LastPass has adjusted its security alert systems and the issue has been resolved.

"We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that users' LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns," DeMichele said. "However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems."

This isn't the first time LastPass -- whose source code is proprietary, rather than open-source -- has faced a security scare or criticism over its privacy practices. Its most notable breach was in 2015 and is the only breach noted on LastPass' official site. That same year, though, Asana Security Head Sean Cassidy discovered a phishing vulnerability created by a CSRF bug, and a research paper emerged detailing another CSRF bug and how LastPass' Safari bookmarklet option was found vulnerable if users were tricked into clicking certain parts of an attacker's site.

View: Full Article