How did my LastPass master password get leaked?

Because LastPass is beyond stupid and uses your master password to log in to their bbulletin or whatever php forum.

That’s what got me to write and publish this: https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...

EDIT: "or whatever" means I couldn't remember the name of the php forum notorious for its insecurity, I thought it was something like 'bbulletin'. It was phpBB.

This also happened to me back on Nov 10, 2021. I had an old LastPass account, wasn't using it, when all of a sudden i get an email:

-- Login attempt blocked Hello,

Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look. ---

Like you, it told me that the attempt came from Brazil, using an IP address starting with 160. I have no idea how they would've gotten that password. Made me wonder if LastPass had some issue, but nothing was in haveibeenpwned

Just happened to me one hour ago and got scared shitless.

  Time Monday, December 27, 2021 at 3:50 PM EST
  Location UNITED STATES
  IP address 107.173.195.83

Actions taken, in this order:

  - Head to *Advanced Options* -> *View account history* to see if anything suspicious is going on (nothing so far)
  - Disable Lastpass MFA and use Google Authenticator (Authy)
  - *Account Settings* -> click on *Show Advanced Settings* -> *Destroy Sessions* (to see if anyone is actively logged in)
  - *Account Settings* -> click on *Show Advanced Settings* -> *Country Restriction* to my country only (luckily not in the US as the bot was)
  - Change Master Password

Also moments earlier:

  - Investigating all Mac processes
  - Disabled all Chrome extensions and deleted most (should have made a list)

Let's hope it's not as bad as it seems.

Edit#1 | Following IP addresses are reported in the thread so far:

  160.116.88.235
  160.116.231.145
  160.116.88.235
  107.173.195.83
  107.173.195.213
  154.202.117.78
  196.19.204.79

Hey, this _just_ happened to me too....my password would be near impossible to guess and is not used elsewhere...

Just deleted my last pass account!

here's the info that came with the email

Time Monday, December 27, 2021 at 1:41 PM EST Location São Paulo, SP 01323, BRAZIL IP address 160.116.88.235

Just checking the absolutely obvious, because I had a similar thing ... and then it turned out I had my VPN on. Thought I'd double check, in case someone was a silly as I am.

This has nothing to do with OP's problem but I figured this may be a good place to post about my bad experience with LastPass back in 2019:

When I moved to Bitwarden, I have deleted my account on LastPass. I have received a confirmation email regarding my account which states [0]:

> Your LastPass account has been permanently deleted and all of your data has been purged from our systems.

A few months later I receive a email stating that my premium subscription is expiring [1]. Clearely my account was not actually permanently deleted from their systems. Considering LastPass is a service used for storing passwords, I think this is unacceptable. How am I sure that they also still don't have my passwords that I had saved in their account?

I reached out to them via Twitter when this happened (because that is apparently how you get support in this day of age) and only then I was told that my account was actually deleted. I still have no way of verifying if this is in fact true or not.

[0]: https://i.imgur.com/P5yEqEl.png [1]: https://i.imgur.com/WyEueF6.png

This article claims LastPass has responded to their request for comment: https://www.howtogeek.com/776450/lastpass-says-it-didnt-leak...

"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."

Please stop using this service. Use reliable, open source and auditable services. https://www.privacyguides.org/software/passwords/

Since your master password is stored in another password manager, would it be accurate to say you copy/paste it into LastPass? If so, something running on your machine could be scraping your clipboard.

This of course assumes that it wasn’t really you from an IP that was just misidentified as being from Brazil.

For what it’s worth, I stopped using LastPass after they sold out to LogMeIn and would recommend others stop using it as well.

+1 -- happened to my account today as well. Haven't logged into or used this account in years. Password is unique and has never been used elsewhere.

Deleted my account.

Email Text:

Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.

Was this you?

Account ...@gmail.com Time Monday, December 27, 2021 at 11:53 AM EST Location São Paulo, SP 01323, BRAZIL IP address 160.116.95.249

Same thing for me. I last changed my master password on Oct 4 2021. password never used elsewhere and stored only in my head, which makes me suspect a bad chrome extension.

``` Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.

Was this you?

Account xxx@xxx.com Time Monday, December 27, 2021 at 12:06 PM EST Location Berlin, BE 12529, GERMANY IP address 196.19.169.161 ```

Meta: Do not use LastPass for the whole password. My method http://lukasz-madon.github.io/Password-management/

I am surprised that LastPass have not yet addressed this. Even if it isn't a widespread incident, the fact that this is being reported by multiple people seems worrying enough for a password manager to respond promptly.

May be a dumb question, but how much are we trusting Lastpass that whoever tried these logins actually used the correct master password? The posted statements sound a bit ambiguous, maybe they're mistaken? Does it show as a login attempt if somebody uses your correct account email address and the wrong password?

Of course if Lastpass is sending ambiguous or mistaken communication about whether someone else has your master password, that's a really bad sign for them as a company too.

On the "bright" side, if somebody had your KeePassX file and master password to that, I would think they'd be doing things a lot worse than trying to log into your LastPass account from Brazil. If they had that data and were serious about LastPass for some reason, they'd probably at least break into your email too and try and intercept those warning emails. Keep an eye on email, banking, credit card, hosting systems, any other higher-value accounts that might have credentials in that file for any signs of suspicious activity. If there's none, then a successful exfiltration of that data seems unlikely.

I received the alert of a blocked login attempt yesterday from 168.81.33.157 (Mumbai, India).

I don’t use LastPass often and wasn’t 100% on my master so I tried logging in and also received the block login alter from my attempt. I verified the new location/device and then tried again and it told me the password was invalid. Tried again and got in fine.

Could it be that master passwords are not actually compromised but they are sending the unrecognized device/location on any login attempt regardless of correct master?

Can someone else verify blocked login from unknown device/location using a wrong master password?

The proper response to this;

0. Consider using a new device for the following or wipe and reinstall an old device in case it's a malware/spyware attack.

1. Change your email provider(s) passphrase first, assuming it may be compromised. This is your key to recovering most other accounts if necessary. Make sure 2FA is turned on.

2. Work down the priority list (financial, work, GitHub, etc.) and reset passwords. Turn on 2FA where applicable.

3. Consider using integrated browser password managers (slightly less in-band signalling for such a security-sensitive tool) or your own locally encrypted list which can be synced with version control to other devices.

This just happened to me today, but login location was Bangkok. I also haven’t used my lastpass account in almost 2 years since I switched to Bitwarden, so no way this could have stolen from my computer recently

This just happened to me Nov 10. I created a brand new LastPass account (created for the sole purpose of retrieving a password a client shared with me), generated a password from 1Password and copy/pasted it into the sign-up form in Chrome. It was barely an hour later before I got the ‘Login attempt blocked’ from São Paulo.

Same issue for me.

Time Monday, December 27, 2021 at 3:55 PM EST

Location UNITED STATES

IP address 154.202.117.78

Password is only used for lastpass. It was caught since I use 2FA. I did previously have "The Great Suspender" chrome extension, which changed hands and had an update including malware, I wonder if this was the culprit.

I last changed my master password on November 24, 2017, the previous exploit was apparently resolved in July 2016.

I might be overreacting but if it’s true then it’s bad. Ive Been getting reports from my devices that all my accounts had been leaked in a data breach and I was thinking whaaa? What all of them? Wait a minute! Some of which I had generated complex long passwords for in Lastpass and even I didn’t know what the password was. So this fits.

My Evernote account which I don’t use any more is showing logins from Brazil. I’ve disabled and asked for an count deletion. Ive got a bad feeling about this.

Another data point, same deal.

  Time Monday, December 27, 2021 at 1:29 PM EST
  Location São Paulo, SP 01323, BRAZIL
  IP address 160.116.231.145

Went ahead and deleted my Lastpass account and changed my password in other password managers.

I'm guessing that the email actually was a phishing attempt, and no-one actually has your LastPass master password.

I didn’t receive any emails (usually they send them do when logging in from non-recent locations). I have 2FA turned on via Google Authenticator, also not used LastPass for a year or so. When I tried to delete my account, guess what “Something went wrong: A.”. Was unable to login again, but I was able to re-register and see empty vault, then delete it again with the same error message.

I contacted their support to check if it’s gone for good, waiting for a reply. Lesson learned, don’t forget to delete password vaults not in use.

account had 2FA set up, but I was able to simply remove it (since I didn't have access to the token anymore)

I rarely say “amazing”, but this is the time.

Given we’re likely stuck with passwords for the foreseeable future, I’d like to see two things in a password manager (maybe these exist?)

1. “hardware wallet” level security, with good UX. Maybe a USB/Lightning dongle, but I really wish computers/phones had built-in capability to do hardware wallets. Apple TouchBar got close (I realize it wouldn’t considered be a dedicated hardware wallet).

2. a way to automatically roll passwords periodically (with a small amount of user intervention, per requirement #1). This would require either some excellent AI or crowdsourced automations for every website.

I remember reading that LastPass had a breach, some time ago.

I think that LastPass and 1Password are the ultimate targets for hackers.

Wouldn't surprise me if they got in. Hackers ain't Matthew Broderick, anymore.

EDIT: Deleted somewhat cynical editorializing

My bet is on the 2017 breach. Those affected/unaffected can share how old their master password is? With enough data points it can be easy to pinpoint.

My bet would be on malware or compromised browser extension. You probably typed (or copy/pasted) the password ans something kept a copy along the way.

I stopped using Lastpass in 2017 after the second breach that year that allowed remote code execution:

https://en.wikipedia.org/wiki/LastPass#2017_security_inciden...

It wasn't so much that that happened, but rather their response:

https://blog.lastpass.com/2017/03/important-security-updates...

- "Our investigation to date has not indicated that any sensitive user data was lost or compromised"

- "No master password change is required"

- "No site credential passwords need to be changed"

Given the fact that an attacker could run code in a user's browser extension without any communication with Lastpass servers, there was no way for them to know whether the master or site passwords had been stolen. The only responsible thing for them to do at that point in my view was to recommend everyone change all their passwords. Instead they completely played it down.

So they completely lost my trust and I spend the next several days moving off Lastpass and changing the passwords for hundreds of websites...I feel for all of you finding yourselves in that situation now. :-(

After reading that is wasn't phishing, my first thought is that they use log4j internally and the attempts to extract user passwords via email came from the inside.

Adding to the chorus. I used LastPass until 2018. I received a similar email from LastPass (and had forgotten that I never got around to actually deleting the account after I migrated).

My master password was a long multi word phrase with numbers and special characters, and was not used for anything except LastPass. I find their claims of credential stuffing suspect.

Edit -- Also had MFA enabled and received the email in November.

FWIW, I migrated off paid LastPass onto the free BitWarden plan recently and my experience has been much improved. I was a huge LastPass proponent in the beginning and at the time they seemed like the obvious best choice in a field with few options. But they have definitely not been able to keep up with the times and their paid service just isn't even comparable to what is now available for free.

I got the same thing in the last month. Then my bank account had 7 transactions from ali express about a week later. Nine were mine. I deleted everything in lastpass and deleted my account.

I'd get in touch with LastPass support asap to see if they have a digital trail to help you figure out what happened.

I'd also guess the most plausible situation would be malware on your computer that managed to sniff your credentials in-transit/clipboard/memory/browser/keyboard and exfiltrate it to some shady folks.

Without knowing anything about LastPass, a few ideas come to mind. First, is your master password only something that exists in your head? Or is it written down anywhere else either digitally or physically. If so, someone may have gained access to that. Did you use the same password anywhere else, ever? If so, it could have been in a database of possible passwords that someone used to try to brute force a copy of your KeePassX file, and succeeded. Also possible liabilities for brute force attacks are using a password that contains some kind of facts or information related to you, such as a birthday, loved one's name, address, etc, etc.

The other possibility that comes to mind is a man in the middle attack of your password was ever sent over the wire with zero or weak encryption, when someone was snooping, like on coffee shop wifi or even a nosy neighbor on your home wifi.

LastPass posted on their blog Dec 28 that they have identified a problem that resulted in emails being sent incorrectly:

https://blog.lastpass.com/2021/12/unusual-attempted-login-ac...

"However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved."

Changed mine just incase. I don't use it anymore I think everything in it is obsolete but always nervous something old is still active in it and I would lock myself out.

What are the chances this has something to do with Log4j Vulnerability?

[1] https://community.logmein.com/t5/LastPass-Support-Discussion...

I also just had this happen as well and have the same setup. Unique password stored in keepass-x and I use the chrome extension. I have very few installed though, so hopefully not a malicious one there.

installed extensions: ublock origin, OneTab, Lastpass, metamask, cisco webex, edit this cookie

My login attempt info: Time Monday, December 27, 2021 at 5:51 PM EST Location GERMANY IP address 168.81.122.153

It was definitely a unique password. Last set in 2017, but changed now. I had just purged virtually all the data in the account recently, but it's still frightening.

Guess? Either you fell for a phish or my intuition tells me you may have run an infostealer malware (exfils data and leaves little trail). No matter what type of 2fa you have, it is useless if the auth token can be accessed post authentication (cookie theft basically).

I used Keepass + Dropbox (to sync database). This set up was suggested to me when I joined a company that requires complex unique passwords for all sign ups. At the time I didn't think too much about it, but this thread has made me thankful I was guided in this direction.

I don't have experience of any other password management software, so I certainly can't compare and contrast. But I will say Keepass + Dropbox has worked flawlessly for me across desktop, laptop and mobile. The biggest inconvenience I have had is things like manually typing in a Netflix password into a Smart TV when on holiday (just takes time with long passwords with capitals, lowercase, numbers and symbols).

It happened to me to but I'm no longer using LastPass for years now. I got an email saying that somebody tried to access my account from the US (the attacker is using a VPN) and changed password and recovery email on my Outlook account

Do you ever store your LastPass in your clipboard? Malicious apps on some platforms can access your clipboard without your knowledge. Do you use a clipboard manager? Is it trustworthy? Does it store data safely on disk?

Good questions to ask yourself

Same issue just arose for me but got 2 emails from different IPs. Master password only stored in my head and is completely unique. Master pre-dates 2017. I have only used LP on my one PC and the phones I have used over the years. The only device I do not still have in my possession is one that I traded in 3 weeks ago for new device (I wiped the trade-in).

Location UNITED STATES IP address 198.23.179.27

Location Frankfurt am Main, HE 60313, GERMANY IP address 168.81.130.131

If you change the masterpassword, and then still get the same message after that, then this means it is not from some old hacked data store, but it is someone able to glean the latest masterpassword from your account live.

I saw this on twitter, but cant reply as I am in twit jail: "Exactly the same thing happened to me last night. They tried again literally minutes after I changed the password to something not used on any other form."

Hopefully LastPass is already researching. Nothing on any other boa d, Twitter or on LastPass webpage. The Chrome vulnerability was 2019. Long time to stand in the shadow.

do you have it installed on your smartphone? have you ever entered your master password on your smartphone? what sort of smartphone do you have, does it get security updates regularly, is the manufacturer competent?

same with your desktop. is everything up to date?

Just happened to me a few hours ago. Completely random password only written down in a notebook locked in my safe.

- - - - - -

Login attempt blocked Hello,

Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.

Was this you?

Account Time Tuesday, December 28, 2021 at 7:33 AM EST Location UNITED STATES IP address 163.198.130.161

Just got the same notification 2 hours ago, from IP address 107.173.195.213

I see a lot of people suggesting other password managers, so I was wandering am I the only one who uses google's? I've used lastpass briefly but it was pretty buggy and didn't feel like it was worth the price. Google (Chrome) password manager is free, and recently got a native autofill for android, which works flawlessly, compared to others.

This is quite interesting. The first thing that comes to my mind is the clipboard sniffing. Copy/paste should be never used for passwords. Using it for master password is even more dangerous if you are using a cloud based password manager. KeePass(XC) has Auto-Type after all.

I also wonder if these cases with 1Password and Bitwarden are related: https://old.reddit.com/r/1Password/comments/rimvc8/constantl... https://old.reddit.com/r/Bitwarden/comments/rmp1c4/what_is_t...

Not an answer to OP but I had seen that that on HM a while ago : https://www.lesspass.com/ Really liked the idea of not having to rely on a third-party ... But I never used it because of Firefox master password and sync functionality. Too lazy.

A bit off-topic but to all the security experts in this thread, what's the best way to encrypt a USB that is being carried around? Other than security I am also hoping for a bit of portability where I could plug into, say, public computers and able to see the contents relatively quickly. Is BitLocker considered as "secure"?

I just checked my account, no login attempts on my end. My master password is not stored or written down anywhere.

Reading the comments here there's one possibility that I haven't seen mentioned in that there may be an issue with lastpass allowing some level of access into people's accounts without actually having the password (which wouldn't enable the attacker to access the encrypted data).

Yeah me too. Same IP range too, but location listed as Toronto. Not that this means anything.

OP, the direction of this is totally based on these questions:

- have you reused your LP master password as a password anywhere besides LP.

- have you entered your LP master password into anything besides a LP login window. (edit: nvm, ya it went into the other PW manager. Without investigating that, not worth pointing the finger at LP and causing enterprise LP account usage chaos).

- Do you enter the LP password into only the browser extension from LP, your phone's LP app, and any other LP-official services when you log into it.

If you can do a yes/no answers, totally clears this up or totally escalates it.

My girlfriend once asked me why I don't use a password manager like LastPass. A week later she got locked out of her LastPass account because she was inadvertently using an enterprise account that one of her clients forced her to use while on a project. And even though she was paying for her own premium LastPass subscription, the support experience had was terrible. Issue was resolved when the client was able to unlock the account for her, but it was a pain because it was during the holidays. I would avoid a password management software because of her experience.

Just tried to delete my lastpass account and get the following message: "Something went wrong. : A" Not very confidence-building. Anyone know how to work around this?

Also: Went to https://support.logmeininc.com/lastpass/help/delete-your-las... and it doesn't actually tell you how to delete the account, just tells you how to recover your password. Methinks this is all a dark pattern.

As a 35+ year software engineer with a very strong networking background I cannot understand why anyone would put anything in the cloud. The likelihood of me getting hacked is pretty rare. I'm just not that important. Now put me on a server with dumb/non-tech savy rich important bankers, politicians and celebrities on a publicly accessible network and I am a target. So stupid. What's even dumber is that people pay for this service!

Hosea 4:6 My people are destroyed from lack of knowledge.

Here's what happened when I tried deleting my LastPass account: https://i.imgur.com/QazTVTD.png

Trying to delete my old inactive account and it keeps throwing a meaningless error: "Something went wrong. : A". Wish I'd been more sensible and done it earlier.

> Either the 3 of us had the same malware/Chrome extension

Is stealing the master password this way possible in practice? As far as I know, Chrome extensions cannot inject e.g. JavaScript into tabs and toolbar popups that are owned by Chrome extensions. Random pages and extensions are able to send string/JSON messages to an extension but message sources usually have to be on an allow list + JavaScript `eval` should be disabled in the Chrome extension context.

I've been having this problem for the last couple of months. Correctly using my (altered several times) password that I don't use anywhere else. The attempts come from the Isle of Man. It could be any of 3 different devices that have been compromised. I've run 5 different keylogging detection programs on my machine and get nothing, so wondering if it's a Chrome extension exploit?

I doubt this is your situation, but about 10 years ago, I discovered a person’s 1Password database on a bookmark sharing service, and it was using a very poorly chosen password. My recollection is that it was a large text file containing Javascript code at the beginning and the encrypted text database at the end. The person must ha inadverantly saved it as part of arching their desktop files to the service.

I wonder if it's related to this https://www.reddit.com/r/privacy/comments/fdo494/facebook_kn...

"The password for this router had been generated using Lastpass."

Reading this thread is giving me major trust issues

I wonder if it's related to this https://www.reddit.com/user/KnewMyModem/comments/ip7o95/6_mo...

I'm a day late, but I just got a similar email but with an IP in Canada. So the anecdata continues...

I know this is irrelevant, but these are my two pennies. Apart from strong password and 2FA, I have restricted login only from my country. So can't login from other country, unless hacker knows which country I have set and uses that VPN. Also I have blocked login from Tor.

>Is there some LastPass extension installed on some computer still having a valid auth token allowing them to login as me to LastPass..?

You can kill existing sessions - see account settings destroy sessions.

Edit: All looks normal my side. No emails, no login attempts, but will change pass just in case

I've been getting lastpass 2fa codes via text sent to me before and after changing master passwords lately. However I don't get the authenticator notification like I would from a login attempt so I'm thinking they're attempting password resets?

Oh no it happened to me too

Time Monday, December 27, 2021 at 2:07 PM EST

Location Fair Lawn, NJ 07410, UNITED STATES

IP address 172.245.155.253

Look at the email headers and post them here. Was the email actually from lastpass????!!!

Could be that someone at Lastpass simply does not know how to write properly.

Maybe the attacker attempted to use the master password login festure without having the actual correct master password itself, and the email is poorly written.

Sounds like securing your password manager with two factor authentication is a must!

I stopped logging in to my Google account because they keep sending me multiple emails about suspicious activity every time I do. Thanks Google... Finally mostly Google-free.

Not sure why anyone is still using Lastpass though...

I just tried logging in with the wrong password from a new machine and received an email with the same wording.

Anyone care to replicate?

I think the problem might be a badly-worded email- they may not have your password.

Got the same but from NJ.

I just had this happen to me as well. I don't use the password anywhere else and I also have it stored in keepass-x

some potential areas to consider

- used a VPN service that was malicious - router is compromised - someone near you was running a MITM device like Stingray (assuming you were using a mobile device away from home) - mobile device had unpatched OS (exploit gains root access via something like binary sms) - your desktop / laptop is compromised

Anyone else considering having another password managers, such as bitwarden, and periodically syncing it with lastpass?

You just reused LP masterpass and email on some random forum and thats probably whole story.

Does lastpass have a login history? first thing would be to check if the mail is genuine

disable logins froms countries other than your own for increased security

Lastpass is not a good password manager, use something like Bitwarden

there's countless exploits for lastpass. it's definitely possible they logged in, even without having your password. i remember seeing a list of like 10 lastpass exploits

Do you have your master password stored in a file or email someplace?

I don't trust LastPass or practically anyone else to be 100% secure. I use keypass, and store the file somewhere I can access remotely (online file storage) then can access it via my phone. If someone hacks your file storage account, they still can't access your passwords. The master password can be as complex or composite as possible and you never enter it into anything except the secure screen in keypass. There are some neat plugins for keypass too.

TL;DR keepass can do everything lastpass does, while you still hold all the keys and the data.

Which password manager do you folks use?

Lastpass has been a pile of hot garbage for a while, so this is somehow not surprising.

was it a login attempt or an actual login?

Use bitwarden

Master passwords are static passwords by definition. It could have been an old fashioned keylogger for example. It could also be a phishing email attempt.

Disclaimer: I worked on the 2FA part of the saas pass password manager which never has a master password and always uses passwordless MFA like scanning an encrypted barcode for unlocking the browser extension.

> Is the email from LastPass accurate

I don't know LastPass, but is it possible to login and see what emails they sent you? Or maybe see a list of login attempts?

People are always saying (smugly) how crucial LastPass is...

You trusted an online service to look after your passwords. Use something local, like 1password. I have no idea why anyone would use a hosted solution like LastPass. Of course something will happen?