Password manager Lastpass has blamed credential stuffing as its users report getting email notifications about their master passwords being compromised and threat actors trying to access their accounts. The email notification further stated that any login attempts had been blocked.

A LastPass user created a HackerNews thread to discuss the issue that has gathered 486 comments with at least seven reports of the password breach coming in from the same IP address range, which seems to be based in Brazil. The attacks seem to have started on Monday.

In an email to The Record, the company stated that they hadn’t seen any evidence that any accounts were successfully accessed or the service itself was compromised in the attack. The company reports that this is a credential stuffing attack, where hackers take compromised credentials from data breaches and try to use them on different online services. 

Also read: Fisher Price’s Chatter toy has a privacy issue

Credential stuffing or blame?

Security Discovery’s Bob Diachenko says that credential stuffing might not be the case here, stating that thousands of Lastpass login credentials were found in the Redline Stealer Malware logs he reported earlier. 

After receiving the notification, users who changed their master passwords received another similar email several hours earlier, suggesting that the source of the leaked credentials might be inside Lastpass itself. To make matters worse, anyone who tried deleting their Lastpass accounts could not do so, getting an error saying “something went wrong: A.”

The attack specifically targeted Lastpass’ cloud accounts, where users save and sync local passwords to be reused across different devices. 

We recommend you enable multifactor authentication on your Lastpass accounts to prevent them from being compromised even if your master password gets compromised.

In the News: Andreessen blocks Dorsey on Twitter as the Web3 debacle heats up