Unauthorized LastPass access

There’s a wild discussion on Hacker News at the moment about certain LastPass users seeing unauthorized access. To summarize that discussion:

  • Certain users are seeing unauthorized access to their LastPass account, using the correct master password.
  • Affected users are seeing access from multiple regions, mostly Brazil; Toronto and Paris too.
  • Unauthorized access is stemming from an IP range starting with 160.

At this time, there are various unknowns: is LastPass compromised, are these unauthorized logins an act of internal (support teams, for example) division accessing user accounts, related to the log4j vulnerability, or due to a malicious desktop app or browser extension capturing input.

A master password is a single password that you use to access the LastPass account, which in turn contains individual site passwords. So, you are using LastPass, you’ll need to rotate your master password and individual site passwords right now.

If you ask me though, I’d strongly recommend moving off of LastPass. Bitwarden and 1Password are great choices, of which the former is free and open source. The latter is paid, commercial, and isn’t open source. But 1Password’s security model looks good enough, in that they require a “secret key” in addition to the password. It’s my favorite: Setting up password managers for family and friends. Also, both Bitwarden and 1Password allow setting up 2FA for the password manager itself.

Leave a reply