LastPass confirms credential stuffing attack against some of its users
Image: LastPass
Catalin Cimpanu December 28, 2021

LastPass confirms credential stuffing attack against some of its users

Catalin Cimpanu

December 28, 2021

LastPass confirms credential stuffing attack against some of its users

Password manager app LastPass said today that a threat actor has launched a credential stuffing attack against its users in an attempt to gain access to their cloud-hosted password vaults.

In an email to The Record today, the company said it had not seen any evidence that accounts were successfully compromised in the recent attack that appears to have started earlier this week, on Monday.

LastPass confirmed the attack after tens of users went online today to share that they received security alert emails from the company claiming it blocked a login attempt with a correct master password from a foreign IP address, typically based in Brazil.

credential stuffing attack is when hackers take username and password combinations leaked through data breaches and attempt to use them at other online services, hoping that some users reused credentials across different sites.

Credential stuffing attacks have been a pretty common occurrence in recent years, primarily after the leak of billions of user credentials since the mid-2010s.

These types of attacks have typically been aimed at online services like email providers, gaming accounts, social media profiles, and online shopping sites since these are the typical accounts that, when hacked, can be re-sold on cybercrime markets.

This week’s attack marks the first major credential stuffing incident reported against a password manager service. More specifically, this attack targeted LastPass’s cloud accounts, where users can save and synchronize their local passwords, so they can be reused across different devices.

LastPass’ full statement, provided via email, is below:

LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.  

But while LastPass claims the recent account compromises was the result of a credential stuffing attack, after this article went live, security researcher Bob Diachenko suggested that this might not be necessarily true, and that hackers simply used a database that leaked from a malware operation, which appears to have also contained LastPass account master passwords.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.