Blog
Recent
Security News

Unusual Attempted Login Activity: How LastPass Protects You

Gabor AngyalDecember 28, 2021
As part of our commitment to security, we regularly monitor our services for actual, suspected, or attempted malicious or unusual activity. We recently investigated reports of an uptick of users receiving blocked access emails, normally sent to users who log in from different devices and locations. Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns. However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved. These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to remember that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s).

How LastPass Helps Protect Against Malicious Activities

Using an encrypted password manager and only using complex, unique passwords (i.e., avoiding password re-use across different web pages) – bolstered by multi-factor authentication – is, what we believe, one of the ideal forms of protection against credential stuffing.  LastPass was built with security in mind and includes various features, including notifications for failed logins, trusted device verification, account recovery, and more. 
  • LastPass has mechanisms in place designed to send notifications to users when there are observed failed login attempts for accounts, such as the ones indicated in these recent reports. These notifications alert the user of blocked or failed login attempts due to attempted login with an invalid email address and master password combination, or the user must otherwise verify that their device is “trusted” via email verification.
  • As a security precaution, LastPass will routinely require users re-login to their accounts and re-verify their trusted devices. If you are prompted to do so, please log into your LastPass account with your master password and check your email to re-verify your trusted devices.
  • The account recovery process is designed to protect against unauthorized or malicious access. The account recovery process specifically requires several steps designed to ensure that recovery can only be executed by an authorized user/account owner, including requiring a one-time passcode (OTP) that the account owner receives via email or text to be input during the recovery login flow. Once OTP receipt has been confirmed, the user must additionally execute the recovery process on a browser or platform where the user has previously logged in successfully via LastPass Browser Extension (e.g., on Chrome, Edge, Safari, etc.)
LastPass also maintains numerous industry-standard protections, from various infrastructure level solutions, such as multiple web application firewalls, DDoS protection solutions, and malicious request filtering engines, to various application-level protections where we limit unusual behaviors in various ways. Operating and keeping these tools up-to-date is a continuous commitment from us to keep our users safe.

Creating a Strong Master Password

It’s very important that you use a strong Master Password and never re-use that password for any other website or app. A strong password is one that is strong, unique, and sufficiently random. For your Master Password, which you need to remember, we recommend using a passphrase, like a long sentence or series of words. If you or your end users have re-used your LastPass Master Password anywhere, we recommend immediately changing your LastPass Master Password and enabling multi-factor authentication on your account, as well as your end users’ accounts. Although our zero-knowledge model is designed to ensure your data remains safe and secure, it’s equally as important for you to use a strong, unique Master Password, which will not only help to protect you from a brute-force attack but should also help to ensure that a breach at another random website won’t affect your LastPass account. While we enforce industry-standard minimums during your creation of your Master Password (must be at least 12 characters long, at least 1 number, at least 1 lowercase and 1 uppercase letter), LastPass users should make the Master Password as strong as possible. Specifically, that means a Master Password should be long and unique, with a mix of character types.

Dangers of Password Re-Use

As the world continues to work remotely and spend more time online, there has been an observed general increase in cyber-attacks and breaches across webpages and online services. Unfortunately, with large data leaks, millions of usernames and passwords may become publicly available on the Internet and susceptible to attempted abuse. One known way in which attackers may attempt to exploit the information available from these leaks is by systematically trying to log in to other websites, such as LastPass, with the same username and password combinations obtained from third-party unaffiliated breaches. Re-using passwords is known to be a common (and dangerous) practice, and often leads to one third-party breach creating secondary risk of additional unauthorized account access. While LastPass can help its users avoid some of these dangers by generating secure, unique, and complex passwords via its “Password Generator” and “Save and Fill” functionality, we also recommend that users take advantage of all the secure features of LastPass and also employ a variety of tools, technology, and practices to protect their accounts and usernames.

What Can LastPass Users Do?

To help ensure your LastPass and other online accounts are secured from bad actors or hackers, we recommend users follow these online best practices:
  • Use a strong, secure Master Password for your LastPass account that you never disclose to anyone.
  • Never re-use passwords on multiple accounts, especially your LastPass Master Password. Use a different, unique, and suitably complex password for every online account.
  • We strongly advise using the LastPass Security Dashboard to identify websites saved in your vault where you’re re-using passwords. LastPass can help you replace those passwords with strong, unique and complex ones using our password generator tool.
  • Enable dark web monitoring in the Security Dashboard. Once it’s on, you can rest assured knowing that LastPass is providing additional monitoring of your account on your behalf. If an account is determined to be at risk via the monitoring, you will receive an alert in your email and in-product.
  • Turn on multi-factor authentication for LastPass and other services like your online banking, email, social media, etc.
  • Be aware of and recognize the common signs of attempted phishing attacksDo not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
  • Run anti-virus, end-point protection, and/or anti-malware protection software, as well as regularly update your software and anti-virus signatures.
  • Make regular backups (either locally or to the cloud) of your critical data – backups help to ensure you have an additional copy of your data in a safe place (i.e., in the event of loss of access to your regularly accessed copy). Creating a daily, weekly, bi-weekly or bi-monthly backup is a good “best practice” to ensure that all changes, additions, and new files are maintained and remain up-to-date.