How LastPass Helps Protect Against Malicious Activities It is also important to remember that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s).
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. As a result, we have adjusted our security alert systems and this issue has since been resolved. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns. Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We recently investigated reports of an uptick of users receiving blocked access emails, normally sent to users who log in from different devices and locations. As part of our commitment to security, we regularly monitor our services for actual, suspected, or attempted malicious or unusual activity.
0 kommentar(er)
