Protecting LastPass Users from Password Reuse

As you’ve probably seen over and over again in the news these last few weeks, many big brands, such as LinkedIn and MySpace, have recently suffered data leaks and security incidents. Unfortunately, with large data leaks like these, millions of usernames and passwords are now out there for anyone to abuse. And the easiest way for attackers to make use of those credentials is to systematically try logging in to other websites with the same username and password combinations. Because of how frequently people reuse passwords, attackers will quickly gain access to accounts on other websites in what’s known as a “password-reuse attack”. The new website itself hasn’t had a security issue, but now their users are at risk because they’ve used the same passwords across multiple websites. We’re fortunate to be one of the most popular password managers available, but that doesn’t mean our service is exempt from these attempts either. And because reusing passwords is such a common (though dangerous) practice, we do everything we can to protect our users, even if it means protecting them from themselves. That’s why our team of security engineers is constantly monitoring the web for usernames and passwords that are leaked when other websites are hacked. Whenever we become aware of new leaks, we immediately source the lists of leaked usernames and passwords and scan them against our own user base, to see if any are a match for LastPass accounts. If a match is found, we immediately disable the account to protect the user’s vault. This is something the LastPass team has been doing for years to proactively protect our users.

What steps have we taken?

In the case of the recent LinkedIn incident, the data breach itself happened a few years ago but the list of usernames and passwords has only now been leaked online. In response, we’ve disabled any LastPass user accounts that were found to be a match for the leaked credentials. To clarify, there has been no breach or security issue with LastPass, this is simply a proactive measure on our part to protect users who reused their passwords on other breached websites.

Does LastPass have my master password?

No, LastPass never has your master password. When passwords are leaked from other websites, LastPass runs that data through scripts that simulate a login attempt. The script performs the standard PBKDF2 hashing that LastPass utilizes every time you login, which allows us to know that the password you've entered is correct. We then compare the result of the script to the password hash stored in our database. If the password hashes match, we know that the password was reused on your LastPass account and the account will be disabled.

What can LastPass users do?

If your account was disabled, you’ll be prompted to login from a trusted location to verify and re-enable your account. To re-enable your account:

1. Login via the web vault https://lastpass.com/

2. The re-enable process will be triggered 

3. From there, login via the extension or the web vault and you will be directed to reset your master password.

If you see the message that "your account is deactivated" when trying to login, simply head to https://lastpass.com to start the verification process. If you're logging in from an unknown device or new location, you will be redirected to a previously trusted device or to login from a previous location (IP address) where you accessed your account before. 

Once complete, you’ll unlock your account and be able to update your master password with a new, stronger one.

We then strongly advise using the LastPass Security Challenge to scan your vault for other websites where you’re reusing passwords. LastPass can help you replace those passwords with strong, unique ones using our password generator tool. Even if you haven’t reused your LastPass master password, it’s a good time to run the Security Challenge and make sure that for every website you use, you have a different password.