AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.
LastPass members have reported multiple attempted logins using correct master passwords from various locations, indicating a possible data breach at the company.
Multiple users in a Hacker News forum have shared that their master passwords for LastPass appear to be compromised. It is unknown how the passwords have leaked out, but a pattern has emerged amongst users.
The majority of reports appear to come from users with outdated LastPass accounts, meaning they haven’t used the service in some time and haven’t changed the password. This indicates the master password list being used may have come from an earlier hack.
Some users claim that changing their password hasn’t helped, with one user claiming that they saw new login attempts from various locations with each password change. It is unclear how severe the password leak may be, or if LastPass is currently under attack.
There has been no official statement from LastPass as of yet. AppleInsider has reached out to the company for clarification.
We can confirm that there is some kind of organized effort to break into LassPass vaults. Since publication, we’ve had confirmation from readers and colleagues all over the globe about login attempts.
A heads up for my friends, LastPass password manager isn’t secure at the moment. There’s a certain rush to hijack all data using master passwords as we speak.
— zodttd (@zodttd) December 28, 2021
AppleInsider recommends that users change their passwords, enable two-factor authentication, and keep an eye out for suspicious login attempts. There is also the option of removing passwords from the service and migrating to 1Password or Apple’s iCloud Keychain.
LastPass is a free password manager available across desktop and mobile devices. There have been security concerns about the Android version of the app and its use of trackers.
Update 12/28 11:34 AM ET: Updated with more reports of an organized effort to penetrate LastPass repositories.
