Credential stuffing attack scares LastPass users

Users of the LastPass encrypted password manager are on edge after word spread that some customers have received alerts that their credentials are being used by an unauthorized third party to get into their systems.

On Tuesday, LastPass said, "Some of these security alerts, which were sent to a limited subset of LastPass users, were probably triggered by mistake. As a result, we have adjusted our security alerts system and this issue has since been resolved." has been resolved." has occurred."

“Our initial findings led us to believe that these alerts were triggered in response to an attempted “credential stuffing” activity, in which a malicious or bad actor could access user accounts (in this case, LastPass) using email addresses and passwords obtained from third parties. ) parties. ) - related party violations from other unrelated services," the company's senior director of engineering Gabor Angyal said in a blog.

“We acted quickly to investigate this activity and, at this time, there is no indication that any LastPass account was compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor We've only found any indication that a user's LastPass credentials were hacked by malware, rogue browser extensions, or phishing campaigns."

"LastPass does not at any time store, have knowledge of, or have access to a user's master password," he said.

The alert has led some LastPass users to worry that this is far from being a credential stuffing attack, with their username and password being compromised in some way, Bleeping Computer news service reports.

It quotes security researcher Bob Diachenko as tweeting that he recently found thousands of LastPass credentials via redline Stellar malware logs. However, the news site was also reported by LastPass customers who received login alerts that their emails were not on the list of login pairs truncated by Redline Stealer that were found by Dyachenko.

LastPass, which sells a password manager for enterprises as well as individuals, allows users to use a complex, unique password as their master password to log into applications and protect that login with multi-factor authentication. allows to use. reminds me of the importance of using