LastPass accidentally scared users witless with false breach alerts

(Image credit: LastPass)

Password manager firm LastPass has confirmed that a number of recent unauthorized login alerts received by customers were sent out in error.

After users took to online forums to notify one another that someone from Brazil (as well as other places around the world) had been trying to access their LastPass accounts, the company responded, explaining that no passwords have been compromised.

As per an article from The Verge, when reports first started popping up, LastPass responded by saying the issue was probably caused by automated bots trying out passwords stolen elsewhere on the web. However, after further investigation into the matter, the company realized that its own systems were to blame, at least in part.

“Out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems,” explained Dan DeMichele, VP Product Management at LastPass.

“Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved. These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts.”

Storing passwords securely

LastPass is a popular password manager that generates, stores and automatically changes passwords in regular intervals (among other things). It’s one of many freemium password managers available.

Passwords are generally considered the weakest link in the cybersecurity chain. As a result, security experts recommend users create strong and unique passwords, store them securely, and change them frequently.

A password manager is recommended, as a tool that can simplify what’s often seen as a cumbersome and time-consuming process.

Multi-factor authentication, in the form of a smartphone apps or security key, is also recommended, especially for more sensitive services, such as banking.

Via The Verge

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.