Showing results for 
Search instead for 
Did you mean: 
Active Contributor

I received an unexpected Account Recovery SMS/Email for LastPass

I received a text today "Your LastPass verification code" and then gave a code.   I had not requested any code and in fact was sleeping at the time.   I don't have LastPass authenticator installed.  Is this a hack?  Does this mean someone  has my master password?


Accepted Solutions
LogMeIn Contributor

Re: I received an unexpected Account Recovery SMS/Email for LastPass

Hello Everyone,

Our security and engineering teams have recently observed potential “credential stuffing” attacks occurring. Credential stuffing attacks are events when a malicious or bad actor attempts to access user accounts (e.g., in this case, LastPass) using e-mail addresses and passwords obtained from third-party breaches related to other unaffiliated services. It is important to note that, based on your receipt of an unexpected SMS or Email account recovery request, it is very likely that any attempted access by a third-party has failed due to your use of two-factor authentication. Additionally, we want to reassure you that there is no indication that LastPass or LogMeIn were breached or compromised – these events appear to be entirely based on third-party breaches where individuals are attempting to take exposed e-mail addresses and passwords from unrelated and unaffiliated services and use them to gain access to other accounts. 


We recommend immediately following the steps outlined here to make sure only you have access to your LastPass account, and enabling multi-factor authentication on your account. 

If you have reused your LastPass Master Password anywhere,  we also recommend immediately changing your LastPass Master Password. As a reminder, you should never re-use your LastPass Master Password and should always have multi-factor authentication enabled for your LastPass account.


LastPass has many industry-standard protections in place, from various infrastructure level solutions, such as multiple web application firewalls, DDoS protection solutions, protections for managing Bot activities, and malicious request filtering engines, to various application-level protections where we limit unusual behaviors in various ways. Operating and keeping these tools up-to-date is a continuous effort and to keep you safe.


It’s very important that you use a strong Master Password and it should never be used as a password for any other website or app. Although you’re protected by the many layers of encryption and security we put in place to keep your data safe, using a strong, unique Master Password will not only help to protect you from a brute-force attack but should also ensure that a breach at another random website won’t affect your LastPass account.


While we enforce industry-standard minimums when creating the Master Password (must be at least 12 characters long, at least 1 number, at least 1 lowercase and 1 uppercase letter), LastPass users should make their Master Password as strong as possible. Specifically, that means a Master Password should be long and unique, with a mix of character types.

To help ensure your LastPass and other online accounts are secured from bad actors or hackers, we recommend you follow these online best practices:

  • Use a strong, secure master password for your LastPass account that you never disclose to anyone.
  • Never reuse passwords on multiple accounts, especially your LastPass Master Password. Use a different, unique password for every online account.
  • We strongly advise using the LastPass Security Dashboard to identify websites saved in your vault where you’re re-using passwords. LastPass can help you replace those passwords with strong, unique ones using our password generator tool.
  • Enable dark web monitoring in the Security Dashboard. Once it’s on, you can relax knowing that LastPass is monitoring your account security for you. If an account is at risk, you will receive an alert in your email and in-product.
  • Turn on multi-factor authentication for LastPass and other services like your bank, email, Twitter, Facebook, etc.
  • Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
  • Run antivirus, end-point protection, and/or anti-malware protection software, as well as regularly update your software and anti-virus signatures.
  • Do regular backups (either locally or to the cloud) of your critical data – this will serve you very well in case of ransomware attacks and similar.  If all else fails, you do have your data in a safe pace.  Create a bi-weekly or bi-monthly habit to synch/run backup to catch up any changes. 

RachelO is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudos!

View solution in original post

New Contributor

I received an unexpected text with a security code

Hi LastPassers!
I've been using the free version for a few months and I'm very happy with it. Today, however, I received an unexpected text that appeared to contain a six digit LastPass security code. The text reads, "xxxxxx - LastPass security code" where the x's represent numbers.
In the past I've received these texts when I tried to log into my account from a new device. No such event this time.
Can anyone tell me if this is some kind of hack or attack? Should I be worried?

Thanks for your consideration,
Active Contributor

Someone tried to access my lastpass account



Someone tried to access my account today at 3:52AM. Where can I find info about this attempt? IP, OS, location, etc.
P.S. Why is there no phone number or support email for a premium user? Not too fond of this, lastpass team.
New Contributor

Re: Someone tried to access my lastpass account

I have exactly the same issue today and am also frustrated that there is no way of finding out more or reporting it...

LogMeIn Manager

Re: Someone tried to access my lastpass account

Hi @Axxonian 


This support article tells you how to see your account history. There is a Contact Support link at the bottom of every support site article if you ever need to open a ticket.


Some customers have reported getting email alerts that someone tried to recover their account, of course this will not work unless the person also has your computer since the recovery token is stored in your web browser. All LastPass customers should have MFA enabled on their account and linked to a authenticator app like LastPass Authenticator. You should also make sure that verification emails are sent for any sign in attempts from unrecognized IP addresses or devices.


Glenn is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!
New Contributor

Verification code/Recovery email was not triggered by me

This morning I received a text message:

Your LastPass verification code is xxxxxx


The message came while I was still sleeping so it definitely wasn't me.  Feel someone was trying to access my account.  Based on this message how much do they know?  In other words, to trigger this message did someone have only my email address and select an option to trigger this text verification text? 

Or worse, does it mean they have my email and password and they triggered this verification text?

LogMeIn Manager

Re: Verification code was triggered not by me

Hi @Vikinig123 


I would recommend playing it safe and following the steps in this support article. Setup multi-factor authentication with an app like LastPass Authenticator and change your master password. Take your time with the password, you don't want to lock yourself out in a weeks time because you cannot remember what you changed it to.


Glenn is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!
New Contributor

Re: Verification code was triggered not by me

The same thing happened to me this morning, around 11:30 am GMT +2.

I wasn't me for sure, so I'm really concerned if my passwords are safe!

Has anyone have any info about this happening? Couldn't find much on google.

LogMeIn Manager

Re: Verification code was triggered not by me

@monkebaba There have been a few data leaks recently (Facebook is one example), usually what happens next is the people that get that data start trying the email addresses and phone numbers against various online services to see if they can access anything.


We have had a few reports from customers that have received account recovery emails, this is useless though as they would also need to have direct access to your computer or phone to use account recovery. Follow the steps in the support article I linked to in my previous reply and you will have nothing to worry about.


Glenn is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!
New Contributor

Account Hacked! Please help!!!!!!!!!!!

I received an email with a header "LastPass account recovery request" which was a bit suspicious to me but it seemed to be from LP so I proceeded to reset the password from the recovery link. I decided to reset the password once more from inside the vault just to be safe.  I tried logging in with the second password I set and I could not. I requested account recovery a couple times but I couldn't make a new password since I was locked out of my account.  I made a last attempt to do the account recovery process but this is what I keep getting. 


I'm certain someone scraped my email from the internet and tried to do account recovery via a script they wrote (you can even check the IPs of the requests, the first one was from Ukraine and the rest are from where I live). I would greatly appreciate any help!