As part of our commitment to security, we want to make sure our customers and the public are aware of recent reports from LastPass users of fraudulent SMS account recovery requests. Our security and engineering teams have recently observed potential “credential stuffing” attacks occurring. Credential stuffing attacks are events when a malicious or bad actor attempts to access user accounts (e.g., in this case, LastPass) using e-mail addresses and passwords obtained from third-party breaches related to other unaffiliated services. Using an encrypted password manager and only using complex, unique passwords – bolstered by multi-factor authentication – is the ideal protection against this type of attack.
We want to reassure you that there is no indication that LastPass or LogMeIn were breached or compromised.
How LastPass Protects Against Malicious Activities
LastPass was built with security in mind and includes various features, including the account recovery process, designed to protect against unauthorized or malicious access. The account recovery process specifically, requires several steps designed to ensure that recovery can only be executed by the real owner, including requiring a one-time passcode (OTP) that the account owner receives via email or text to be input during the recovery login flow. Once OTP receipt has been confirmed, the user must additionally execute the recovery process on a browser or platform where the user has previously logged in successfully via LastPass Browser Extension (e.g., on Chrome, Edge, Safari, etc.). This process is being triggered but cannot be completed as expected on an attacker machine.
LastPass also has many industry-standard protections in place, from various infrastructure level solutions, such as multiple web application firewalls, DDoS protection solutions, and malicious request filtering engines, to various application-level protections where we limit unusual behaviors in various ways. Operating and keeping these tools up-to-date is a continuous commitment from us to keep our users safe.
Creating a Strong Master Password
It’s very important that you use a strong Master Password and it should never be used as a password for any other website or app. If you or your end users have re-used your LastPass Master Password anywhere, we recommend immediately changing your LastPass Master Password and enabling multi-factor authentication on your account, as well as your end users’ accounts.
Although you’re protected by the many layers of encryption and security we put in place to keep your data safe, using a strong, unique Master Password will not only help to protect you from a brute-force attack but should also ensure that a breach at another random website won’t affect your LastPass account. While we enforce industry-standard minimums when creating the Master Password (must be at least 12 characters long, at least 1 number, at least 1 lowercase and 1 uppercase letter), LastPass users should make the Master Password as strong as possible. Specifically, that means a Master
Password should be long and unique, with a mix of character types.
Dangers of Password Re-Use
As the world continues to work remotely and spend more time online, there have been a generally observed increase in cyber-attacks and breaches. Unfortunately, with large data leaks, millions of usernames and passwords are out there for anyone to abuse. The easiest way for attackers to make use of those credentials is to systematically try logging in to other websites, such as LastPass, with the same username and password combinations.
Creating long, strong and unique passwords is one of the main reasons you’re using a password manager like LastPass. We’re fortunate to be one of the most popular password managers available, but that doesn’t mean our service is exempt from these attempts either. Because re-using passwords is such a common (though dangerous) practice, we do everything we can to protect our users.
What Can LastPass Users Do?
To help ensure your LastPass and other online accounts are secured from bad actors or hackers, we recommend users follow these online best practices:
- Use a strong, secure master password for your LastPass account that you never disclose to anyone.
- Never reuse passwords on multiple accounts, especially your LastPass Master Password. Use a different, unique password for every online account.
- We strongly advise using the LastPass Security Dashboard to identify websites saved in your vault where you’re re-using passwords. LastPass can help you replace those passwords with strong, unique ones using our password generator tool.
- Enable dark web monitoring in the Security Dashboard. Once it’s on, you can relax knowing that LastPass is monitoring your account security for you. If an account is at risk, you will receive an alert in your email and in-product.
- Turn on multi-factor authentication for LastPass and other services like your bank, email, Twitter, Facebook, etc.
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Run antivirus, end-point protection, and/or anti-malware protection software, as well as regularly update your software and anti-virus signatures.
- Make regular backups (either locally or to the cloud) of your critical data – this will serve you very well in case of ransomware attacks and similar. If all else fails, you do have your data in a safe pace. Create a bi-weekly or bi-monthly habit to synch/run backup to catch up any changes.
