Credential Stuffing Attack - LastPass Jan 2022

At the tail end of last year there were reports of a series of "credential stuffing" attacks against LastPass accounts globally. A large number of users received emails stating that their username and password had been utilised and the access shut down due to security concerns.

What happened?

LastPass has investigated recent reports of blocked login attempts and believe the activity is related to attempted “credential stuffing” activity. At this time, they do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party.

LastPass's statement can be found at:

Unusual attempted login activity and how LastPass protects you

What should I do?

LastPass have released a statement detailing the incident and confirm that the current recommendations for managing your master password remain very much the same:

  • Make sure that your LastPass Master Password is unique and strong
  • Where possible, use Multi Factor Authentication with all services that support it
  • More widely, do not reuse passwords

What is credential stuffing?

Credential stuffing attacks are where existing compromised combinations of usernames and passwords are used in order to access services. Where you have reused usernames and passwords you are vulnerable to this form of attack.

It is the advice of Information Security that you should use unique passwords for all services where possible.

Further advice on the use of passwords can be found at: