There is apparently a large-scale attack going on against accounts, login attempts using the correct master password. LastPass claims it to be credential stuffing, yet people on Hacker News report using unique and strong passwords.

· · Web · 3 · 3 · 0

So the question about just how these master passwords leaked remains open. I have at least one suspicion, should really only older accounts be affected. AFAIK LastPass never investigated whether websiteBackgroundScript issue was already actively abused.

People on Hacker News are comparing lists of browser extensions, but I’d consider this an unlikely source. If a malicious or vulnerable browser extension compromised your LastPass master password, the attackers don’t need LastPass to get the rest of your passwords.

Some accounts affected are apparently brand-new, so my suspicion doesn’t seem to be it. Others accounts haven’t been used for years. It’s hard to imagine anything other than LastPass itself to be the source of this leak.

The weird part: attackers must have gotten their hands on unencrypted passwords somewhere. They definitely weren’t reversing 100,000 rounds of PBKDF2 for this large-scale attack.

Maybe LastPass somehow logged the unencrypted password when people logged in via the web interface?

@WPalant This is why i always advocate for people to use KeepassXC instead of LastPass or any sort of online password manager. The unmatched control over your security is well worth the extra hassle of having to manage a DB file. As they say, convenience comes at a cost.

@slips While that’s true, the attack surface of online password managers can be minified. LastPass doesn’t seriously make an effort however (see

Note that the typical attack vector against offline password managers is autofill functionality. If implemented badly, it doesn’t matter where your database is stored.

@WPalant That does make sense, I suppose you could potentially make an online PM pretty secure.

As for the issue of autofill, from the experience I've had with keepassxc-browser's autofill function, it looks relatively secure, and (at least, by default) explicitly asks for your permission to access credentials for a site when prompted. Doesn't ask for a password or anything, but if some random site is asking for your banking information, I imagine you would notice something was up.

@WPalant It's also possible that it's an alerting failure, and that they're misreporting unsuccessful password guesses as successful for some reason.

But I sure wouldn't rule out a straight-up breach. They don't have a particularly reassuring history.

@varx LastPass downplaying the issue in their official statement indicates that this isn’t merely a bug…

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.