Further investigation into possible hacks of LastPass accounts via so-called ‘credential stuffing’ reveals that LastPass has previously concluded incorrectly. LastPass’s systems falsely generated security alerts that were believed to indicate hacking attempts.

The fuss surrounding possible LastPass account hacks has unexpectedly taken a new turn. Though the company initially indicated that uptake in user security alerts might have been caused by hackers attempting credential stuffing, a different culprit now comes to light.

Cause in own systems

According to an expanded version of LastPass’s statement (excerpt found below), further investigation revealed that the security alert emails were created by LastPass’ own systems. The alerts were mistakenly generated and sent to a limited subset of LastPass users.

The cause of the error is not indicated in the statement. In any case, LastPass has modified its security alerting systems to prevent false fags from happening in the future.