The warning message was sent incorrectly.
What you need to know
- LastPass rejected reports of unauthorized login attempts for certain accounts.
- The security alerts recently received by some users were apparently triggered by mistake.
- Some LastPass users received emails this week warning them of failed login attempts.
After all, LastPass users can welcome the new year with peace of mind. A LastPass executive confirmed that no accounts were compromised after users repeatedly reported that they had received notifications of unauthorized login failures.
AppleInsider first discovered these reports on the Hacker News forum. According to the alerts they received, some unauthorized third parties tried to access their accounts from all over the world (such as Brazil). Fortunately, these attempts were thwarted due to dubious geographic sources.
Most LastPass accounts that received the alert appear to be out of date. In addition, the developer behind one of Android’s best password managers told AppleInsider that login attempts are related to “credential stuffing.” Bad actors use this activity to use detailed information obtained from other services involved in previous third-party violations to access user accounts.
In the official statement issued by LastPass Twitter account, Dan DeMichele, vice president of product management at LastPass, said the warning message was probably sent in error. “Our investigation later discovered that some of the limited subset of security alerts sent to LastPass users may have been triggered by mistake. As a result, we adjusted our security alert system and this issue has been resolved,” he said.
In other words, LastPass assures customers that it will continue to monitor the situation. It also insisted that there is currently no evidence that the account was stolen.
The company’s statement may be enough to alleviate the fear that users may panic after receiving the alert. However, staying vigilant and strengthening the security measures of its password manager will not do any harm.