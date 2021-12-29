Users of LastPass are reporting attempts to access your account using correct master passwords from various locations, other than where users are located, which raises the suspicion of a possible security breach for the password management service.

The reports are found on the Hacker News forum, where several users claim that their LastPass master passwords appear to be compromised. The first reports begin to circulate on Twitter as well. The way in which passwords have circulated is currently unknown, but some recurring elements are emerging among users who find themselves victims in this situation.

A heads up for my friends, LastPass password manager isn’t secure at the moment. There’s a certain rush to hijack all data using master passwords as we speak. zodttd (@zodttd) December 28, 2021

In fact, most of the breaches appear to be against outdated accounts, that is, not used for some time and with passwords that have never been updated. At the moment it is unclear how extensive the breach may be and whether LastPass is actually under attack. Given the contours that are emerging, it is possible that it is a violation that occurred previously, even a long time ago.

LastPass has not yet released an official position at the time of writing, but in the meantime the advice that can be given to users of the LastPass service is to change all their passwords and the master password to protect the service, enable two-factor authentication and pay attention to any suspicious access to their accounts.

Update 28-12-2021, 20:03 – A LastPass spokesperson released this official note: “LastPass has reviewed recent reports of blocked login attempts and we believe the activity is related to a “credential stuffing” attempt, in which an attacker attempts to log into user accounts (in this case, LastPass) using email addresses. e-mails and passwords obtained from violations to third parties relating to other unaffiliated services. Importantly, at this time, we have no indication that account access has been successful or that the LastPass service has otherwise been compromised by an unauthorized party. We regularly monitor this type of activity and will continue to take steps to ensure that LastPass, its users and their data remain safe and secure.“.