Some users of password manager LastPass are reporting that their master passwords have been compromised after receiving emails that someone had tried to access their accounts from unknown locations.

News of the compromise first emerged Tuesday on social media, including Twitter Inc., Reddit Inc. and Y Combinator’s Hacker News. The threads tell a similar tale: The users had received a notification of people trying to log in using their master password. In some cases, the internet protocol address in the notifications was from an anonymizing proxy service, while in other cases, the IP address was from Brazil.

The email notifications note that the login attempts have been blocked because they were made from unfamiliar locations. “Someone just used your master password to try to log in to your account from a device or location we didn’t recognize,” the email messages to affected users state. “LastPass blocked this attempt, but you should take a closer look. Was this you?”

That they were blocked is a positive, since LastPass managed to stop the attempts. But the obvious question is: How were the LastPass master passwords seemingly compromised?

LastPass has responded to the reports, saying it has observed a slight uptick in attempted credential-stuffing attacks. Credential-stuffing is a type of cyberattack that involves using stolen account credentials, typically username or emails addresses with corresponding passwords, that are then used to gain access to accounts on other services.

The whole point of using LastPass is to have different passwords on different sites and services, but in this case, those same users are using a previously used password as their master password for LastPass.

“While we have observed a small uptick in this activity, we are utilizing multiple technical, organizational, and operational methods designed to protect against credential stuffing attempts, Gabor Angyal, senior director of engineering at LastPass, said in a blog post. “Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn were breached or compromised.”

The protection offered by LastPass includes notifying users when there are observed failed login attempts, such as with these credential stuffing attempts. LastPass also routinely requires users to re-login to their accounts and re-verify trusted devices.

Angyal notes that it’s very important that users use a strong master password and never reuse that password on any other website or app.

LastPass was last in the news Dec. 14 when parent company LogMeIn Inc. revealed that it was spinning off LastPass as a separate company.

Image: LastPass