Revived December 28 | LastPass has already commented publicly on the situation on your blogBut where he repeats what has already been said. Note that someone tried to log into the accounts with real names and master passwords, but the attacks reflected the fact that they came from abroad, so LastPass described the attempts as suspicious and did not let the attackers inside.
The company also continues to claim that it did not hack itself and is not aware of any malware, phishing campaigns or malicious browser extensions that would feed on its users’ credentials. So far, he has no evidence that anyone has stolen and misused the accounts.
LastPass has already warned users about the suspected activity of changing their master passwords and activating 2FA. If someone tries to get an account with someone even after these procedures, it is likely that the fault is on their part. LastPass reiterates that it does not store master passwords on its servers (only their hashes).
On Tuesday, computer security website Bleeping warned of a potentially serious problem with its LastPass service. According to user reports, someone is trying Log in to their account with the correct master passwords.
Any possible cracking of the LastPass master password would give the attacking entity a hand All your shared passwordsThus, access to all your online services except for those that protect your two-login. (Or those whose credentials are not stored in your admin.) In this case, only two-logon will protect you.
The LastPass for Bleeping Computer launcher just mentioned that someone (or something) is trying to crack user accounts using Leak passwords from other services. But people whose LastPass master password is unique also report to the news site. And not only this.
Changing the master password did not help
Some users receive informative emails that someone in different parts of the world tried to log into their account. The attacker uses the correct master password, but LastPass evaluates the login from a foreign site as suspicious and Login attempt ends.
some already Change master passwordHowever, they received the message back to their account Someone tried to log in. This indicates that the service may currently be weak, so it doesn’t matter if you change your password because the attacking entity will get it anyway. According to LastPass, so far No account was successfully hacked.
So it is not currently clear where exactly the problem lies. In general, only the usual preventive change of the master password and especially the activation of the dual login, which LastPass supports, can be recommended. the service itself master password or keys To encrypt decrypt data Do not store on their servers. pretend to on your site.
Two years ago, it had to fix a hole in the Chrome extension that made that possible Theft of stored passwords. According to current reports, some decided to delete their service account, but the process ended in error.
“Proud twitter enthusiast. Introvert. Hardcore alcohol junkie. Lifelong food specialist. Internet guru.”