Multiple LastPass users have reported there were login attempts on their accounts using their correct master passwords. People started getting emails from LastPass telling them that the correct master passwords were used, but that the attempts were still blocked due to the unusual geographic location.
In some cases, those login attempts were successful, even with two-factor authentication set up on the account, and with unique passwords that were not used on any other service. Some users even report secondary login attempts after changing their master passwords.
"Someone just used your master password to try to log in to your account from a device or Location we didn't recognize," the login alerts warn.
Hacker News thread, it appears that most of the affected users haven’t actively used LastPass for a longer period of time, and they also haven’t changed their passwords in a while. Comment links to an older Hacker News post detailing a LastPass autofill exploit from 2015, which could give us a hint as to where the master passwords could have come from.
There is also speculation that the passwords could have emerged due to LastPass’ old, discontinued forum that supposedly required users to log in with their LastPass master password.
LastPass says it's credential stuffing
On contacting the LastPass for the above situation, LastPass says-
“LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.
It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”
That explanation doesn’t pass the sniff test. Multiple users have said that their master password was unique, and two-factor authentication was turned on. Some even report unauthorized logins once they changed their master password.
To make things even worse, users wanted to get away by deleting their LastPass account, they are getting an error message at the end of the deletion process.
Although LastPass says it is credential stuffing, we strongly recommend that all users change their passwords, enable two-factor authentication on their accounts. Another option for LastPass users is the use of migrating option, which helps them to move their data to different Password Manager services.
LastPass Update statement
Today, LastPass has come up with a statement regarding Unusual Attempted Login Activity. On the blog post, LastPass says -
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to remember that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s). - they added.