How did you get my master password?
December 27, 2021 4:03 PM   Subscribe

Lastpass just notified me that someone in Mumbai correctly entered my master password (I am not in Mumbai, and don't know anyone there). Lastpass refused the login attempt as suspicious, but advised me to change my master password. How could someone have gotten my master password?

First, I already went to, without following any links in the email, and changed my master password. But I can't imagine how they got the old one.
I have never used that password anywhere else, and it doesn't appear as pwned in

I haven't typed that password in months, maybe years, because I don't really use my lastpass! That fact made me go ahead and delete all my passwords from lastpass, as an unnecessary attack surface, but I am still concerned.

The email from lastpass did not appear suspicious. It didn't offer me links to go change my password, or request a reply, or otherwise resemble phishing in any way I can spot. An antivirus scan on my PC didn't turn anything up.

Could they have just...guessed it? Lastpass claims to defend against brute-force attacks with a threshold for some number of wrong guesses. The password was basically four words--two nonsense and two real words, with no spaces, special characters, or numbers. I would assume that brute force couldn't crack that, so what are the remaining likely attack vectors, here?
posted by agentofselection to Computers & Internet (12 answers total) 7 users marked this as a favorite
My first thought would be a phishing attack, if the alert was via email, try viewing the source and see if it contains any suspicious looking links.
posted by Lanark at 4:10 PM on December 27, 2021

Response by poster: Me too, but the email had no links to change the password, which made me worry it was real. Once logged into lastpass though, I can't find a way to check the history of attempted logins, so I can't find a way to confirm that they generated the email.
posted by agentofselection at 4:16 PM on December 27, 2021

Best answer: You're not the only one.. here's a HN thread with many people in the same situation:
posted by mattdini at 4:31 PM on December 27, 2021 [8 favorites]

Response by poster: Wow, yes, those are a lot of very similar stories. At least I can now count on there being more people investigating. Hopefully someone figures out what happens and explains it soon.
posted by agentofselection at 4:48 PM on December 27, 2021

I also had a lastpass account kicking around that i didn't use anymore (switched to 1password). I didn't get an alert myself but all these reports are pretty scary.

FYI their account deletion page has a way to do it even if you've forgotten your password. Dunno why I didn't do that a long time ago, but it's gone now at least.
posted by davidest at 8:41 PM on December 27, 2021

I just changed my master pw - the discussion on HN seems to indicate that these are old pws that were hacked maybe years ago. Also, I don't know how much it helps, but you can do 2FA on Lastpass with Google Authenticator. You can also shut off access to countries other than the place you live.
posted by Mid at 9:29 PM on December 27, 2021

Just to answer the technical question: If someone got hold of your hashed master password as stored by LP, then if might be possible for them to guess your password through trial and error, offline, without running into the "maximum number of tries" limit. Maybe your "nonsense" words are used by other people and appear on lists of words to try when attempting to guess correct horse battery staple-type passwords.
posted by labberdasher at 11:15 PM on December 27, 2021

This doesn't answer your question, but here's a mitigation strategy for this type of attack. In the Advanced Settings section, there's a setting to control which countries to allow logins from. I've set mine to allow logins only from the country where I live and one other to which I travel frequently. There are various other settings as well that allow you to reduce your attack surface -- I'd urge you to check that all out.
posted by number9dream at 7:01 AM on December 28, 2021

remembered this question and came back to post this article:
posted by alchemist at 8:34 AM on December 28, 2021

Wow. 2nding turning on 2-factor authentication and limiting the allowed countries. It might be nothing, but why risk it. I deleted my LastPass account 5 minutes ago, as I haven't used it since switching to Bitwarden a few months ago. Just FYI: the account deletion procedure gives me an error in the last step, but it seems to delete the account anyway.
posted by gakiko at 12:16 PM on December 28, 2021

According to Lastpass they detected no hacking on their end, except an uptick in "credential stuffing"
posted by kschang at 1:18 PM on December 28, 2021

Best answer: As a follow-up, I received an e-mail from LastPass today which stated that:

If the login attempt was not you, allow us to explain what happened. We recently received reports of an uptick of users receiving blocked access emails. Our investigation found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved. At this time, there is no indication that your LastPass account or your credentials were breached or compromised.

In other words, the most likely explanation is that nobody had my password at all, LastPass just erroneously reported that they did. So, thanks for the reminder to empty and close out that account, LastPass.
posted by agentofselection at 1:51 PM on December 29, 2021 [3 favorites]

« Older Where to stream old Fifth Estate episodes from CBC   |   What is this quote and who said it Newer »
This thread is closed to new comments.