Credential-stuffing is a type of cyberattack that involves using stolen account credentials, typically username or emails addresses with corresponding passwords, that are then used to gain access to accounts on other services. LastPass has responded to the reports, saying it has observed a slight uptick in attempted credential-stuffing attacks. But the obvious question is: How were the LastPass master passwords seemingly compromised? That they were blocked is a positive, since LastPass managed to stop the attempts. The email notifications note that the login attempts have been blocked because they were made from unfamiliar locations. “Someone just used your master password to try to log in to your account from a device or location we didn’t recognize,” the email messages to affected users state. “LastPass blocked this attempt, but you should take a closer look.
In some cases, the internet protocol address in the notifications was from an anonymizing proxy service, while in other cases, the IP address was from Brazil. The threads tell a similar tale: The users had received a notification of people trying to log in using their master password. News of the compromise first emerged Tuesday on social media, including Twitter Inc., Reddit Inc. Some users of password manager LastPass are reporting that their master passwords have been compromised after receiving emails that someone had tried to access their accounts from unknown locations.
0 kommentar(er)
