![]() ![]() The security incidents were not, the statement read, "caused by any LastPass product defect." Maybe not, but corporate security processes and controls appear to have fallen even shorter than corporate comms. ![]() However, the red flags started waving for me when the statement confirmed that a threat actor had "targeted a senior DevOps engineer by exploiting vulnerable third-party software." Wait, what?īy doing so, we were informed that the attacker delivered malware that could bypass security controls and gain access to those cloud backups. That's fair enough file under lessons learned. This confirmed that LastPass needed to catch up regarding communication regarding the security incidents being comprehensive and frequent enough. "Trust is paramount in the world of password management," I concluded, "and there can be little doubt that trust is being tested hard right now." MORE FROM FORBES LastPass Password Vaults Stolen By Hackers-Change Your Master Password Now By Davey Winder The final LastPass hack attack bombshell dropsĪnd then, on March 1, yet another update to the December 22 incident disclosure dropped. This gave the attacker a head start on any attempts to decrypt vaults, as users had been advised that no further action was required up until this point. This wouldn't help anyone with a weak master password in terms of the stolen vaults, of course, so those customers were advised to change all their passwords as soon as possible.Īt this point, I stated that if I were a LastPass user, I'd be looking for alternatives given the drip feed of breach information, especially since it took so long to determine that customer vaults had been stolen. At this point, I recommended that users change their master password, which would also re-encrypt their password vault, based on better safe than sorry. With local access to the encrypted databases, this becomes a lot easier to pull off but is still dependent on the user either having a weakly constructed master password or one reused across services, including one that has been compromised. Unless, of course, they used brute-force methods to try known passwords from other breaches. This meant the attacker now had customer password vaults but not the means to open them. When I woke up this morning I opened LastPass and it instantly logged me in with Face ID.LastPass attacker stole customer password vaults Next, he had me delete the LastPass app on my iPhone and reinstall it, and finally we adjusted some Security Settings within the app. He said there were about 35 authorizations, so he deleted them all on his end (something I could not do on my end), then had me re-authenticate on my computer and iPhone, then had me login to my LastPass Account in Chrome and adjust some Account Settings under Trusted Devices and Mobile Devices. I believe the main culprit was some outdated and/or corrupt authorized devices associated with my LastPass Account. As I said, I got a call back within 15 minutes, and he was on the phone with me for at least 20 minutes trying very hard to fix the issue, which he ultimately did. Maybe you'll get someone else who's more helpful. I can remember it, but it's a pain in the rear to retype EVERY time I need this app.īummer about your Technical Support experience. This is beyond frustrating, especially since my Master Password is a long one. Restarting my iPhone does not help, nor does reinstalling the LastPass app. Just tested again with this setting set to 24 hours and after only a few minutes I was prompted to re-enter my Master Password. Sometimes I stay logged in, sometimes I don't. *Tried changing this to other options (like 24 hours) but with mixed results. It appears to be quite random.Īdditionally, I'm using Last Pass Authenticator, and each time I'm logged out I have to reselect "Trust this device" for 30 days, but immediately upon closing (but not quitting or logging out of the app) I not only have to re-enter my Master Password but I have to go through the Authenticator again, and Last Pass doesn't seem to remember that I instructed it to remember my device for 30 days. It seems to have started with iOS 15, but the problem has persisted every time there's an iOS update or a LastPass app update. I've been having the same problem for a couple months now. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |