Protecting LastPass Users from Password Reuse

As you’ve probably seen over and over again in the news these last few weeks, many big brands, such as LinkedIn and MySpace, have recently suffered data leaks and security incidents. Unfortunately, with large data leaks like these, millions of usernames and passwords are now out there for anyone to abuse. And the easiest way for attackers to make use of those credentials is to systematically try logging in to other websites with the same username and password combinations.

Because of how frequently people reuse passwords, attackers will quickly gain access to accounts on other websites in what’s known as a “password-reuse attack”. The new website itself hasn’t had a security issue, but now their users are at risk because they’ve used the same passwords across multiple websites. We’re fortunate to be one of the most popular password managers available, but that doesn’t mean our service is exempt from these attempts either. And because reusing passwords is such a common (though dangerous) practice, we do everything we can to protect our users, even if it means protecting them from themselves.

That’s why our team of security engineers is constantly monitoring the web for usernames and passwords that are leaked when other websites are hacked. Whenever we become aware of new leaks, we immediately source the lists of leaked usernames and passwords and scan them against our own user base, to see if any are a match for LastPass accounts. If a match is found, we immediately disable the account to protect the user’s vault. This is something the LastPass team has been doing for years to proactively protect our users.

What steps have we taken?

In the case of the recent LinkedIn incident, the data breach itself happened a few years ago but the list of usernames and passwords has only now been leaked online. In response, we’ve disabled any LastPass user accounts that were found to be a match for the leaked credentials. To clarify, there has been no breach or security issue with LastPass, this is simply a proactive measure on our part to protect users who reused their passwords on other breached websites.

Does LastPass have my master password?

No, LastPass never has your master password. When passwords are leaked from other websites, LastPass runs that data through scripts that simulate a login attempt. The script performs the standard PBKDF2 hashing that LastPass utilizes every time you login, which allows us to know that the password you’ve entered is correct. We then compare the result of the script to the password hash stored in our database. If the password hashes match, we know that the password was reused on your LastPass account and the account will be disabled.

What can LastPass users do?

If your account was disabled, you’ll be prompted to login from a trusted location to verify and re-enable your account. To re-enable your account:

1. Login via the web vault https://lastpass.com/

2. The re-enable process will be triggered 

3. From there, login via the extension or the web vault and you will be directed to reset your master password.

If you see the message that “your account is deactivated” when trying to login, simply head to https://lastpass.com to start the verification process. If you’re logging in from an unknown device or new location, you will be redirected to a previously trusted device or to login from a previous location (IP address) where you accessed your account before. 

Once complete, you’ll unlock your account and be able to update your master password with a new, stronger one.

We then strongly advise using the LastPass Security Challenge to scan your vault for other websites where you’re reusing passwords. LastPass can help you replace those passwords with strong, unique ones using our password generator tool. Even if you haven’t reused your LastPass master password, it’s a good time to run the Security Challenge and make sure that for every website you use, you have a different password.

14 Comments

  • Kathryn Foster says:

    My lastpass account has been deactivated. I have no idea why. i have not changed my master password. your recovery options just say the have sent a code to my email that lastpass is registered on however as the password for that email is stored in lastpass i can no longer access the email address. all the passowrds for all my different accounts are stored in lastpass so ultimately i have lost access to many accounts. there is no customer support at all where i can try to resolve this issue. how do I get my account back?

    • Kathryn Foster says:

      issue resolved by logging on via phone and re enabling account. I would still like to know why my account was deactivated in the first place though. this issue caused me a very stressful couple of hours.

  • Barbara says:

    I believe that I already have signed up for Last pass several months ago. I got the Last Pass info and a request to download the program again. Do I need to download Last Pass again?

  • paul says:

    2. The re-enable process will be triggered

    Nothing happened. My vault opened but nothing else.

    Website? Do you mean my open vault URL? Why would I give you that? Please advise.

    • Amber Gott says:

      Hi Paul, it sounds like you were logging in from a trusted location, so no further action was needed. Let us know if we can help further!

  • Bentsen says:

    Hello!
    My account is disabled and i cannot enable it even using my real existing home IP. Whole my information is there. How i can fix it? Please help me!

  • Vicki Hanna says:

    How does this reactivate my account? All you are doing is sending me in circles. I suggest you fix this issue, since you do not seem to be able to send helpful information on a blog that sends me back to the same stupid sites. You want to make this hard, I do not need it and will spread the word. There is another program out there, and I have better things to do with my time than try and reactivate an account with useless information.

    • Amber Gott says:

      Hi Vicki, sorry to hear of the trouble caused by our security measures. Are you logging in from a device / location that you’ve previously used with LastPass? If so, it should verify the account for you. If you continue to have trouble please get in touch with our team: https://lastpass.com/supportticket.php so we can take a closer look – thanks!

  • Alexis Peart says:

    Hello there 👋 Is there a way or video that explains how to use LassPass in every single details every one I mean all its features because the ones on YouTube only shows like 5 minutes long and I notice that it comes with too many features therefore they all cannot be covered in 5 minutes or maybe a user’s guide or manual ?