Recently, news emerged about a credential stuffing attack on LastPass, a popular password management application used by millions across the globe. Several users of the service had claimed that they had received emails from LastPass about unauthorized log-in attempts using their master passwords. Speculation soon arose about whether there had been a breach of LastPass master passwords, which function as a ‘master key’ for users to unlock the application or its browser extension. Once unlocked with a user’s master password, LastPass simplifies and speeds up logging in to various websites by automatically entering (or saving for later) usernames and passwords on the sites stored in users’ LastPass accounts, as well as two-factor authentication (2FA) codes required by the website or app being visited.
LastPass Statement About the Purported Breach
LastPass quickly issued a statement that “…Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”
It appears that the alerts sent by LastPass to some users were erroneously triggered by an internal error, despite the scare it caused among many of its users. LastPass’s VP of Engineering stated in a blog post that “Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.”
LastPass Has Had Breaches in the Past
Though LastPass has reported breaches in the past, most recently a security vulnerability in its extension for Google Chrome, this does not appear to be another breach. Many internet users practice poor password hygiene and tend to reuse the same passwords across several websites and applications they use. It is very likely that some LastPass users had reused an old password that had been previously breached or leaked as their master password for LastPass as well, despite the service exhorting its users to create a unique master password not used anywhere else.
Credential Stuffing Attacks With 2FA Phishing Through Bots Pose a Critical Vulnerability
What this news underscores is that credential stuffing attacks remain amongst the biggest security threats to web users from cybercriminals and hackers who use bots to rapidly and sequentially test previously breached or leaked log-in credentials for nefarious purposes. While many websites and apps now require their users to use 2FA to additionally secure the user log-in process, even 2FA codes can be compromised by a new breed of robo-calling phishing bots as we explained in our blog. Only a specialized bot management solution that can effectively differentiate between humans and bots on a website or app can prevent credential stuffing and phishing attacks in the first place.