Posted on December 30, 2021 at 8:17 AM
Last VPs say there is no sign of a breach despite security alerts
LastPass triggered much anxiety from its users after a situation that occurred earlier this week. Hundreds of users took to various social media platforms noting that they were receiving alerts of their accounts being compromised.
However, two vice presidents of the platform have issued statements on the matter, as they seek to bring calm to the hundreds of users that are now anxious regarding the security of their accounts.
LastPass VPs disregard security alerts
The two vice presidents of the company responded after overwhelming activity from social media users. Two days ago, users took to sites such as Twitter and Reddit complaining that they were receiving notifications about their password being used by someone else.
Some of the users also stated that after receiving the first notification, they changed their master password. However, they later received another alert telling them that someone was trying to access their account.
Earlier this week, the company issued a press release on the matter. During the brief, it noted that the security team at the company had analyzed and investigated the matter. The security team detected several reports of attempts to stuff potential credentials into user accounts.
The attackers were using a technique known as credential stuffing, whereby they tried to steal the credentials of user accounts to access them. Some of the details they tried to access include the usernames, passwords and more.
The vice president at LastPass, Gabor Angyal, noted that “While we have observed a small uptick in this activity, we are utilizing multiple technical, organizational, and operational methods designed to protect against credential stuffing attempts. Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn was breached or compromised.”
The company further expounded on what the vice president stated. In a statement issued on Wednesday, the company stated that it had launched investigations into the matter. It mentioned that it was heeding to the reports from users receiving emails telling them that their emails were blocked.
The platform also noted that these blocked access emails are usually sent to users that log in using different devices and from different locations. In the preliminary investigations, the company found that the alerts on people attempting to target various accounts were attributed to credential stuffing. Various attempts to log in to these accounts triggered the alerts.
During the Wednesday statement, Angyal further noted that “Out of an abundance of caution, we continued to investigate to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems, and this issue has since been resolved.”
Angyal also assured users that their credentials could not have been accessed because LastPass did not know these master passwords, and it did not store or access them.
The other VP that also reassured users was Dan DeMichele, who sent out a notice to several publications. The notice contained details that were also put forward by Angyal to assure users that their details were not stolen.
Users are not reassured
However, the statement by the two executives did not do much in reassuring users that their accounts were still safe. Craig Lurey, the CTO of Keeper, a password management platform, noted that credential stuffing remained a major threat to users. Lurey noted that credential stuffing was a technique that was mainly used by attackers to cause breach fatigue, after which they lodged their attack.
In a statement, Lurey said that “with a slew of breaches and alerts throughoutb2021, consumers have become apathetic to compromised accounts. In fact, a recent survey from the Identity Theft Resource Centre revealed that 16% of breach victims take absolutely no action to re-secure their accounts.”
Lurey also noted that cybercriminals were persistent when using the credential stuffing technique. The hackers thrived on understanding the human mind, knowing that eventually, users will start dismissing such notifications as a scam, when in fact, it could be alerting them of an actual compromise.
Users of LastPass have also been advised to use a multi-factor authentication process or a biometric system. Such techniques could be used in setting the master passwords for these accounts. Two weeks ago, LastPass’s parent company, LogMeIn, announced that it was absorbing it fully.