In 2016, two vulnerabilities were found. One was discovered by security researcher Mathias Karlsson, the other by Google Project Zero’s Tavis Ormandy, the latter of which prompted LastPass to urge users to update their browsers. In 2017, the password manager patched another major security flaw in its browser extension — the Achilles’ heel of most password managers — that could have allowed hackers to manipulate a LastPass account. This foreshadowed University of York research in 2019, which found another vulnerability that would allow malicious copycat apps to exploit LastPass’ autofill feature. Ormandy returned to LastPass scrutiny later in 2019, discovering a third browser extension vulnerability — which LastPass again resolved — that would expose login credentials you entered on a previously visited site.
Unlike audits conducted across competitors RememBear, NordPass and open-source Bitwarden, LastPass’ independent, third-party audits are limited in their public availability. And while LogMeIn keeps a collection of audits for several of its properties, the company says its additional cloud security audit for LastPass is only available if you sign a nondisclosure agreement. Only bare-bones, organizational audits have traditionally been publicly available, along with a list of companies LastPass works with.
Spice up your small talk with the latest tech news, products and reviews. Delivered on weekdays.
“We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that users’ LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns,” DeMichele said. “However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.”
As a preventive security measure, LastPass users should regularly update their master password and enable multifactor authentication on their accounts. If you’ve reused your LastPass master password for any other password managers — such as Bitwarden or 1Password — we advise you to update those accounts as well. And remember: If you’re using a password manager, never reuse the master password for any other site, service or app.
The simplest way to change your LastPass master password is by logging into your vault through LastPass’ main site. Because of the recent scare, you may be asked to confirm your identity when you first attempt to log in. If so, you’ll likely need to confirm your attempted login through an email sent to the address associated with your LastPass account. So check your inbox for a LastPass email if you run into snags while logging in.
A screen will pop up. Its first tab is labelled General. Under the Login Credentials header, you’ll see a row called Master Password. Just to the right of those words, click the button labelled Change Master Password.
In February 2021, LastPass was in the privacy hot seat again for its use of web trackers.
Regarding Tuesday’s security scare, LastPass said it will monitor the service for unusual or malicious activity and continue to take any necessary steps to ensure user data security.
Once you’ve logged into your vault, go to the top-right corner of the page and, just to the right of your LastPass user name, click the small inverted triangle icon to expand your account menu. Select Account Settings.
Read more: 4 steps you should take to secure your Gmail account right away
How to update your LastPass master password
Read more: LastPass review: A leading password manager with a changing value proposition
From here, you’ll be prompted to confirm your current master password, create your new master password, and write a clue to help you recall it in the future if necessary.
In a statement Dan DeMichele, LastPass’ vice president of product management, said the email security alerts were sent to a limited subset of LastPass users and were likely triggered in error. DeMichele said LastPass has adjusted its security alert systems and the issue has been resolved.
To check whether the email address associated with your LastPass account has been involved in any recent breaches, you can go to Have I Been Pwned and enter your email address in the search bar.
A security scare cropped up late Tuesday for LastPass users when some reported receiving emails from LastPass, alerting them that LastPass had blocked unauthorized attempts to access their accounts. As first reported by AppleInsider, some LastPass members said they were notified of multiple attempted logins, using correct master passwords from various locations. LastPass confirmed the email alerts were related to an attempted credential stuffing attack — where malicious actors attempt to log in to multiple accounts with previously verified credentials — but said no master passwords were compromised.