Whether you’re a long-time LastPass user or a new subscriber, it may be time to update your master password. Several LastPass users report that hackers are trying to break into their account using correct login information, which may have been obtained through unrelated data breaches.
LastPass sends its customers a notice when it detects an “unauthorized” login attempt for their account. A glut of users are receiving these notices, leading some to believe that LastPass was hacked. But in a statement to our sister site, How-To Geek, LastPass clarifies that it has not suffered a data breach.
It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
It appears that an organized group of hackers are simply trying to brute-force their way into LastPass accounts using basic credential stuffing techniques. In other words, hackers are taking emails and passwords stolen from other websites and blindly plugging this data into LastPass, accessing random accounts along the way.
If you reused your LastPass master password for another service, such as your bank or a social media platform, then your account may be vulnerable to hackers. You should update your master password immediately—pick something that’s unique and secure, and please enable two-factor authentication for an extra layer of security!
Even if you don’t reuse your password manager’s master password, you should change it every once in a while. Most password managers (including LastPass) don’t store user login credentials in their servers, but hackers can still obtain your master password through alternative means, such as keyloggers.