fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

LastPass Users Warned their Master Passwords are Compromised

LastPass Users Warned their Master Passwords are Compromised

Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.

The email notifications also mention that the login attempts have been blocked because they were made from unfamiliar locations worldwide.

“Someone just used your master password to try to log in to your account from a device or location we didn’t recognize,” the login alerts warn.

“LastPass blocked this attempt, but you should take a closer look. Was this you?”

Also Read: The DNC Registry Singapore: 5 Things You Must Know

Reports of compromised LastPass master passwords are streaming in via multiple social media sites and online platforms, including TwitterReddit, and Hacker News (original report from Greg Sadetsky).

LastPass_login_attempts_notification
Image: Valcrist

LastPass says it’s credential stuffing

LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer that “LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.”

“It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure,” Bacso-Albaum added.

However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere. BleepingComputer has asked LastPass about these concerns but has not received a reply as of yet.

While LastPass didn’t share any details regarding how the threat actors behind these credential stuffing attempts, security researchers Bob Diachenko said he recently found thousands of LastPass credentials while going through Redline Stealer malware logs.

Also Read: How To Comply With PDPA: A Checklist For Businesses

BleepingComputer was also told by LastPass customers who received such login alerts that their emails were not in the list of login pairs harvested by RedLine Stealer found by Diachenko.

This means that, at least in the case of some of these reports, the threat actors behind the takeover attempts used some other means to steal their targets’ master passwords.

Some customers have also reported changing their master passwords since they received the login warning, only to receive another alert after the password was changed.

To make things even worse, customers who tried disabling and deleting their LastPass accounts after receiving these warnings also report [12] receiving “Something went wrong: A” errors after clicking the “Delete” button.

Two years ago, in September 2019, LastPass fixed a security vulnerability in the password manager’s Chrome extension that could have allowed threat actors to steal the credentials last used for logging into a site.

LastPass users are advised to enable multifactor authentication to protect their accounts even if their master password was compromised.


Update December 28, 12:36 EST: Added LastPass statement.

Update December 28, 15:08 EST: Added info on LastPass login pairs stolen by RedLine Stealer malware.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us