After a user wrote about the problem on Hacker News, online forums have been filled with reports that LastPass sent emails to users describing unauthorized login attempts with their master password. LastPass has since said it has not leaked user information, leaving people with lots of questions.

Greg Sadetsky, a Montreal-based technologist who wrote the post on Hacker News, calls himself a part-time involuntary “security man.” “I think I’m pretty paranoid,” he told Input, before adding that he has a habit of ending conversations with a reminder not to use the same password twice (“Not all conversations, though.” , “he assured me). In the last month alone, they told me that they revealed security vulnerabilities in both the COVID test company Lab and the app that controls the lights over the World Trade Center. “I just want to fix these things,” he said. So on December 27, when Sadetsky received an email related to his password manager, he spoke.

Sadetsky wrote that LastPass warned him of a login attempt using his account’s master password with this message: “Someone may have used your master password to log into your account from a device or location.” We tried to do what we didn’t recognize.”

He sees the incident as particularly worrying because the password was only used on LastPass and stored only in an encrypted password manager called KeepPassX. Sadetsky says he took careful extra steps to use another password manager to generate and encrypt his LastPass password manager’s keys.

Could it be a keyboard sniffer?

The last time he had access to the master password, he says, was in 2017. He copied it from KeePassX and pasted it into LastPass. He originally argued that malware, like a sniffer for the clipboard, could have obtained his password when he had copied and pasted it four years earlier. But as his post developed traction and many people reported the same problem, he says he considered that explanation less likely.

This is also unlikely to be a problem with KeePassX. KeePassX encrypts passwords and encrypts them in a way that is unreadable and unusable by hackers.

Hacked from the same place

Another notable detail is the similarity in the IP addresses trying to login. In the email alert, LastPass included the IP address from which the login attempt occurred, and Sadetsky found four other users who had received alerts with surprisingly similar IP addresses. The accounts of at least five users had experienced login attempts from foreign IP addresses in the range of 160,116. But at least five other Hacker News users reported LastPass warnings related to IP addresses that didn’t match the rest.

LastPass shared in an email statement that it had no reason to believe that its service was compromised:

LastPass reviewed recent reports of blocked login attempts and we believe the activity is related to “credential stuffing” activity where a malicious or malicious actor can access user accounts (in this case) using email addresses and passwords , obtained from third parties. , LastPass). – Party infringement related to other unrelated services. It is important to note that at this time we have no indication that the account was successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We monitor this type of activity regularly and will continue to take steps designed to ensure that LastPass, its users and their data remain safe and secure.

LastPass users are not completely satisfied with the company’s response. LastPass says the login attempt is the result of a third-party breach, but Sadetsky says he didn’t use his master password for any other site — a third party if the site didn’t have a master password. How could the party break the master password? Other users on Hacker News shared that they were just as sneaky. So how did a foreign IP address use the correct credentials?

It is possible that this is a “false positive” condition. LastPass may have a problem with its email, not with its security. Sadetsky says he contacted LastPass Support and confirmed the email wasn’t a phishing scam: It came from the company legally. But it may be that it came accidentally due to low level error. There is also the possibility that LastPass has a security issue that has not been disclosed.

“There’s an unknown hovering in the air,” Sadestaki said. “Something’s happening that we can not figure out.” He’s not angry at LastPass, but he’s definitely confused. The experience is a reminder of “how complicated it is to stay safe,” he said.

Whatever the cause of the problem, this is a good time to change your LastPass master password. For most people who completely give up password administrators, it’s time to set aside a few minutes to set one up (seriously !!) if you want to avoid hacked accounts – social media, online banking. , email and more – then you might want to become a security expert.