LastPass users began reporting login attempts from unknown locations using correct master passwords earlier this week. The password manager company claims these likely came from reused passwords uncovered from unrelated hacks, but some users disagree and have suggested various theories.
LastPass users on the Hacker News forum are reporting login attempts on old and inactive accounts. However, it does not appear to be isolated to defunct credentials. Others report getting email notifications of strange login attempts on newer active accounts.
After looking into the reports, LastPass released a statement today claiming it doesn’t think the service itself was compromised. The company believes the credentials came from past unrelated service hacks. Some users on Hacker News say they got login notifications after recently switching to new, unique passwords.
One theory on the forum suggests that someone is exploiting a LastPass browser extension vulnerability through an exceptionally well-crafted phishing site. The site is connected to an IP address associated with more than one of the login attempts, which appears to be from Brazil. Some other attempts came from India, and at least one other came from Thailand.
It’s important to note that none of the login attempts have penetrated LastPass’s two-factor authentication, which you should probably already be using for any service that offers it. Concerned users should also consider changing their master passwords.