LastPass has launched an investigation following a recent surge in blocked login attempts.
The emailed notifications to a pre-registered email address would normally follow attempts to log in from a different browser version, device, or location.
Users in receipt of these emails are invited to go to a link in order to confirm that the attempted login was valid.
When LastPass noticed an unexpected rise in the occurrence of blocked access emails it initially suspected that it could be the resulted of a “credential stuffing” attack.
Catch up with the latest password security news and analysis
Credential stuffing attacks involve attempts to gain access to targeted accounts using email addresses and passwords obtained from third-party breaches.
The tactic relies on the insecure habit among all too many consumers of using the same password and login combination on multiple sites.
In a blog post yesterday (December 28), LastPass said early results of its investigation revealed no evidence that any of its users’ accounts had been hacked or otherwise compromised.
We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.
Follow up work by the cloud-based password management service suggest that the blocked password email notification surge was the result of a glitch in the system rather than any malicious activity.
“Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error,” Gabor Angyal, senior director of engineering at LasPass, explains. “As a result, we have adjusted our security alert systems and this issue has since been resolved.”