I received a text today "Your LastPass verification code" and then gave a code. I had not requested any code and in fact was sleeping at the time. I don't have LastPass authenticator installed. Is this a hack? Does this mean someone has my master password?
Solved! Go to Solution.
Our security and engineering teams have recently observed potential “credential stuffing” attacks occurring. Credential stuffing attacks are events when a malicious or bad actor attempts to access user accounts (e.g., in this case, LastPass) using e-mail addresses and passwords obtained from third-party breaches related to other unaffiliated services. It is important to note that, based on your receipt of an unexpected SMS or Email account recovery request, it is very likely that any attempted access by a third-party has failed due to your use of two-factor authentication. Additionally, we want to reassure you that there is no indication that LastPass or LogMeIn were breached or compromised – these events appear to be entirely based on third-party breaches where individuals are attempting to take exposed e-mail addresses and passwords from unrelated and unaffiliated services and use them to gain access to other accounts.
We recommend immediately following the steps outlined here to make sure only you have access to your LastPass account, and enabling multi-factor authentication on your account.
If you have reused your LastPass Master Password anywhere, we also recommend immediately changing your LastPass Master Password. As a reminder, you should never re-use your LastPass Master Password and should always have multi-factor authentication enabled for your LastPass account.
LastPass has many industry-standard protections in place, from various infrastructure level solutions, such as multiple web application firewalls, DDoS protection solutions, protections for managing Bot activities, and malicious request filtering engines, to various application-level protections where we limit unusual behaviors in various ways. Operating and keeping these tools up-to-date is a continuous effort and to keep you safe.
It’s very important that you use a strong Master Password and it should never be used as a password for any other website or app. Although you’re protected by the many layers of encryption and security we put in place to keep your data safe, using a strong, unique Master Password will not only help to protect you from a brute-force attack but should also ensure that a breach at another random website won’t affect your LastPass account.
While we enforce industry-standard minimums when creating the Master Password (must be at least 12 characters long, at least 1 number, at least 1 lowercase and 1 uppercase letter), LastPass users should make their Master Password as strong as possible. Specifically, that means a Master Password should be long and unique, with a mix of character types.
To help ensure your LastPass and other online accounts are secured from bad actors or hackers, we recommend you follow these online best practices:
This support article tells you how to see your account history. There is a Contact Support link at the bottom of every support site article if you ever need to open a ticket.
Some customers have reported getting email alerts that someone tried to recover their account, of course this will not work unless the person also has your computer since the recovery token is stored in your web browser. All LastPass customers should have MFA enabled on their account and linked to a authenticator app like LastPass Authenticator. You should also make sure that verification emails are sent for any sign in attempts from unrecognized IP addresses or devices.
This morning I received a text message:
Your LastPass verification code is xxxxxx
The message came while I was still sleeping so it definitely wasn't me. Feel someone was trying to access my account. Based on this message how much do they know? In other words, to trigger this message did someone have only my email address and select an option to trigger this text verification text?
Or worse, does it mean they have my email and password and they triggered this verification text?
I would recommend playing it safe and following the steps in this support article. Setup multi-factor authentication with an app like LastPass Authenticator and change your master password. Take your time with the password, you don't want to lock yourself out in a weeks time because you cannot remember what you changed it to.
The same thing happened to me this morning, around 11:30 am GMT +2.
I wasn't me for sure, so I'm really concerned if my passwords are safe!
Has anyone have any info about this happening? Couldn't find much on google.
@monkebaba There have been a few data leaks recently (Facebook is one example), usually what happens next is the people that get that data start trying the email addresses and phone numbers against various online services to see if they can access anything.
We have had a few reports from customers that have received account recovery emails, this is useless though as they would also need to have direct access to your computer or phone to use account recovery. Follow the steps in the support article I linked to in my previous reply and you will have nothing to worry about.
I received an email with a header "LastPass account recovery request" which was a bit suspicious to me but it seemed to be from LP so I proceeded to reset the password from the recovery link. I decided to reset the password once more from inside the vault just to be safe. I tried logging in with the second password I set and I could not. I requested account recovery a couple times but I couldn't make a new password since I was locked out of my account. I made a last attempt to do the account recovery process but this is what I keep getting.
I'm certain someone scraped my email from the internet and tried to do account recovery via a script they wrote (you can even check the IPs of the requests, the first one was from Ukraine and the rest are from where I live). I would greatly appreciate any help!