Worth changing the master password immediately...even if that does not help in the long term...will at least add complications for whom ever is behind this.
Lastpass response/comment appears at: https://www.howtogeek.com/wp-content/uploads/2021/12/lastpass-logo-zoomed.jpg?height=200p&trim=2,2,2,2 LastPass Says It Didn’t Leak Your Master Password Several LastPass users claim that they’re receiving emails from the company about unauthorized login attempts using their master passwords. Fortunately, LastPass has responded to the issue, and the password manager says it hasn’t leaked any user information. www.howtogeek.com It's also worth noting that LastPass cannot leak Master Passwords as, in their own words from their website; "Local-only encryption. Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass."
From Bleeping Computer... https://www.bleepingcomputer.com/ne...arned-their-master-passwords-are-compromised/
With two factor authentication (2FA) enabled the master password alone does not give access to the account. I use the Lastpass authenticator on my phone as the second factor. Anyone worried about a breach should enable 2FA if they're not already using it IMHO. https://www.groovypost.com/news/lastpass-authenticator-makes-two-factor-authentication-easier/
This. I thought they claimed to not have the master password, just an encrypted blob. I guess they lied. Makes me more happy I dropped this a few months ago and deleted my account. Which I hope actually happened and that they weren't storing my data without my knowledge or consent.
When you say "they have the master passwords" who are you referring to? LogMeIn/LastPass states: "Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass."
I think they are referring to the master password that you create to log into the program. I do not think they"have' them as per Victek's post.
That is what they have always claimed. I'm still having to wonder how these accounts are being exploited when for most people this password will be unique. Somebody found a way somewhere.
I'm no longer a fan of Lastpass after switching to KeepassXC years ago. But here's an update: https://www.howtogeek.com/776614/lastpass-says-security-alerts-were-sent-in-error/ LastPass Says Security Alerts Were Sent in Error It turns out, these alerts were sent in error, according to a statement from the company. After further investigation, however, the company found that the warnings were sent to users in error. From LastPass: Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved. These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).
In other words, the master password can only be stolen on your device like smartphone, desktop or laptop. This also means that infostealing malware can in theory still do serious damage once they get access to your master password, but that's why you should be using 2FA to protect all of your most important online accounts.
