LastPass Users Face Credential Stuffing Attacks

The developers of the LastPass password manager have issued a warning that cybercriminals are targeting users with credential stuffing attacks in an attempt to gain access to their cloud-based password vaults.

What Is Credential Stuffing?

Credential stuffing refers to situations where usernames and passwords stolen from one website are used to try to log in to other sites. Attackers obtain databases of credentials—often purchased on the dark web or collected by other means—and attempt to use them to access various online accounts, impersonating their victims.

Details of the Attacks

According to a report by The Record, LastPass developers confirmed ongoing attacks after dozens of users reported receiving warning emails. These messages stated that LastPass had blocked a login attempt using the correct master password, but from a foreign IP address—most commonly from Brazil.

This is reportedly the first major incident of credential stuffing attacks specifically targeting users of a password manager. The attacks focus on LastPass cloud accounts, where users store and sync their local passwords for use across multiple devices.

No Evidence of Successful Breaches

LastPass has emphasized that, so far, there is no evidence that any accounts have been successfully accessed or that LastPass itself has been compromised by an unknown third party.