Hackers trying to access LastPass accounts — what to do

(Image credit: LastPass)

Despite it no longer offering a gratuitous tier, LastPass remains one of the all-time password managers, which likewise makes it a likely target for hackers. A number of users reported that they received warnings that their LastPass primary passwords accept been compromised, though as in many other cases of this ilk, it appears to be the result of them having re-used passwords, or having their passwords exposed elsewhere.

First appearing in Hacker News, information technology seems that a number of these attempted breaches originated in Brazil and other parts of the earth; due to the unusual origin of these requests, LastPass blocked these attempts and and so emailed the legitimate customers, warning that their passwords may have been compromised.

In a statement to Android Law, LastPass owner LogMeIn said:

"LastPass investigated recent reports of blocked login attempts and adamant the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to admission user accounts (in this instance, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It's of import to note that nosotros do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised past an unauthorized party. We regularly monitor for this type of activity and volition continue to have steps designed to ensure that LastPass, its users, and their information remain protected and secure."

Even if hackers were able to breach LastPass itself, it's highly unlikely that they'd be able to admission users' master passwords. That'due south because LastPass's servers don't store your master password. Instead, they shop a "hash" of the master password, which means the primary countersign you type in is run through an algorithm on your device and the event of the algorithm is compared to what LastPass has previously stored.

What to do if your LastPass chief password has been compromised

If you received a alarm from LastPass that someone attempted to log into your account — or if you want to make it more hard for hackers to break into your account — there's a few steps you should take right away.

Change your LastPass chief password to one that you don't utilize elsewhere.
LastPass users tin minimize the take a chance of compromise by enabling two-gene authentication in their Business relationship Settings > Multifactor Options.
Considering many of these unauthorized login attempts seem to be coming from Brazil or South Africa, restricting logins to but specific countries should block some of the attempts. Become into Business relationship Settings, click the "Show Advanced Settings" button on the lesser of the Settings window, coil downwards and select "Only allow login from selected countries" and and so cheque off the country where you live and those countries that you may oft visit. Click "Update" when done.
If you're worried about failed login attempts to your account, get into Advanced Options from the main menu's navigation bar, and then select "View Account History." That will let yous view all login attempts, successful or not, over a specific date range. You'll want to look for login attempts from unfamiliar IP addresses that don't match those that you normally use. The IP addresses you normally use will be the vast majority of the successful logins, and those IP addresses that don't lucifer should stand out.

While information technology's practiced to know that no accounts were compromised, information technology'south an important reminder as to why having unique passwords are so critical. Using the same countersign too many times can be a major vulnerability. At present would be a good time to make sure that all your passwords are unique and secure. Web browsers like Google Chrome, Firefox and Microsoft Edge all have features that tin can warn you if whatever of your passwords accept been breached and tin suggest new passwords also.

Michael A. Prospero is the deputy editor at Tom's Guide overseeing the home, smart home, drones, and fettle/wearables categories, equally well as all buying guides and other evergreen content. When he's not testing out the latest running watch, skiing or preparation for a marathon, he's probably using the latest sous vide machine or some other cooking gadget.