LastPass VP Gabor Angyal said some of the security alerts that initially caused concern were “likely triggered in error.”
Two LastPass vice presidents have released statements about the situation surrounding LastPass security issues that came to light this week.
Two days ago, hundreds of LastPass users took to Twitter, Reddit, and other sites to complain that they were getting alerts about their master password being used by someone who was not them. Some reported that even after changing their master password, someone tried to access their account again.
On Tuesday, the company released a brief statement noting that its security team observed and received reports of potential credential stuffing attempts. Credential stuffing involves attackers stealing credentials (usernames, passwords, etc.) to access users’ accounts.
“While we have observed a small uptick in this activity, we are utilizing multiple technical, organizational, and operational methods designed to protect against credential stuffing attempts. Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn were breached or compromised,” wrote Gabor Angyal, VP of engineering at LastPass.
On Wednesday, the company expanded Angyal’s original statement, explaining that it recently investigated reports of an uptick of users receiving blocked access emails, normally sent to users who log in from different devices and locations. The company’s initial findings led it to believe that these alerts were triggered in response to attempted “credential stuffing” activity.
Angyal’s Wednesday statement said, “Out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.”
Angyal noted that at “no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s).”
Two days ago, hundreds of LastPass users took to Twitter, Reddit, and other sites to complain that they were getting alerts about their master password being used by someone who was not them. Some reported that even after changing their master password, someone tried to access their account again.
On Tuesday, the company released a brief statement noting that its security team observed and received reports of potential credential stuffing attempts. Credential stuffing involves attackers stealing credentials (usernames, passwords, etc.) to access users’ accounts.
“While we have observed a small uptick in this activity, we are utilizing multiple technical, organizational, and operational methods designed to protect against credential stuffing attempts. Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn were breached or compromised,” wrote Gabor Angyal, VP of engineering at LastPass.
On Wednesday, the company expanded Angyal’s original statement, explaining that it recently investigated reports of an uptick of users receiving blocked access emails, normally sent to users who log in from different devices and locations. The company’s initial findings led it to believe that these alerts were triggered in response to attempted “credential stuffing” activity.
Angyal’s Wednesday statement said, “Out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.”
Angyal noted that at “no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s).”
Source: https://www.zdnet.com/article/lastpass-vp-says-no-indication-that-accounts-compromised-or-credentials-harvested-after-reports/?&web_view=true
