Online forums are abuzz with reports that LastPass sent emails to users describing unauthorized login attempts with their master passwords, after one user posted about the issue on Hacker News. LastPass has since said it hasn’t leaked user information, leaving people with a lot of questions.
Greg Sadetsky, the Montreal-based technologist who wrote the post on Hacker News, calls himself a part-time involuntary “security mensch.” “I think I’m pretty paranoid,” he told Input, before adding that he has a habit of ending conversations with a reminder not to use the same password twice (“not all conversations, though,” he assured me). In the past month alone, he tells me he’s uncovered security vulnerabilities in both a COVID test company lab and the app that controls the lights above the World Trade Center. “I just want these things fixed,” he said. So on December 27, when Sadetsky got a concerning email from his password manager, he spoke up.
Sadetsky wrote that LastPass had alerted him of a login attempt using his account’s master password with this message: "Someone just used your master password to try to log in to your account from a device or location we didn't recognize.”
He considers the incident particularly concerning because the password was used only on LastPass and stored only in an encrypted password manager called KeePassX. Sadetsky says he had gone through a scrupulous extra step to use a second password manager to generate and encrypt the key to his LastPass password manager.
Could it be a keyboard sniffer? — The last time he’d accessed the master password, he says, was in 2017. He copied it from KeePassX and pasted it into LastPass. He initially reasoned that malware, like a clipboard sniffer, could have gotten his password when he copied and pasted it over four years ago. But when his post developed traction and more people reported the same issue, he says he considered that explanation less likely.
It’s unlikely to be an issue with KeePassX, either. KeePassX encrypts passwords, scrambling them in a way that is unreadable and unusable by hackers.
Hacked from the same place — Another notable detail is the similarity in IP addresses that attempted the logins. In the email alert, LastPass included the IP address from which the login attempt took place, and Sadetsky found four other users who had received alerts involving startlingly similar IP addresses. At least five users’ accounts had experienced log-in attempts from foreign IP addresses in the 160.116 range. But at least five other Hacker News users reported similar LastPass alerts involving IP addresses that did not fit with the rest.
LastPass shared in an emailed statement that it had no reason to believe its service was compromised:
LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
Something’s not adding up — And LastPass users aren’t quite satisfied with the company’s response. LastPass says the login attempt is the result of a third-party breach, but Sadetsky says he hasn’t used his master password for any other site — how could a third party have breached the master password if no third-party sites had the master password? Other users on Hacker News shared that they had been similarly fastidious. So how had a foreign IP address used the correct credentials?
It’s possible this could be a “false positive” situation. LastPass could have a problem with its emails, not with its security. Sadetsky says he contacted LastPass support and received confirmation that the email was not a phishing scam: it legitimately came from the company. But perhaps it came in error due to a low-level bug. There’s also the possibility that LastPass has a security problem that hasn’t been revealed.
So now what? — “There’s an unknown floating in the air,” said Sadestky. “There’s something going on that we can’t figure out.” He’s not angry at LastPass, but he’s certainly confused. The experience serves as a reminder of “just how complicated it is to stay secure,” he said.
Regardless of the issue’s cause, it’s a good time to change your LastPass master password. For the overwhelming majority of people who eschew password managers altogether, it’s time to set aside a few minutes to set one up (seriously!!). If you want to avoid compromised accounts — social media, online banking, email, and more — you might want to become more of a security mensch.