LastPass users furious after being locked out due to MFA resets

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/lastpass-users-furious-after-being-locked-out-due-to-mfa-resets/

LastPass password manager users have been experiencing significant login issues starting early May after being prompted to reset their authenticator apps.

The company first announced that users might need to log back into their LastPass account and reset their multifactor authentication preference due to planned security upgrades on May 9.

However, since then, numerous users have been locked out of their accounts and unable to access their LastPass vault, even after successfully resetting their MFA applications (e.g., LastPass Authenticator, Microsoft Authenticator, Google Authenticator).

Compounding the problem, affected customers cannot seek assistance from support since reaching out to LastPass support requires logging into their accounts which they can't do because they're locked in an infinite loop of being prompted to reset their MFA authenticator.

LastPass users furious after being locked out due to MFA resets

LastPass password manager users have been experiencing significant login issues starting early May after being prompted to reset their authenticator apps.

www.bleepingcomputer.com

 

[upnorth]

One would think the previous issues learned most LP users to not put all their eggs in one basket.

 

[vtqhtr413]

Compounding the problem, affected customers cannot seek assistance from support since reaching out to LastPass support requires logging into their accounts which they can't do because they're locked in an infinite loop of being prompted to reset their MFA authenticator.

This happened to me with my Cable tv company, mobile provider, internet provider, gas company, insurance company, bank, ex wife, pet food provider.

 

[piquiteco]

One would think the previous issues learned most LP users to not put all their eggs in one basket.

But it has happened to @R2D2 he was with eggs all in one basket literally of course. He said it took more than two weeks resetting the passwords and MFA, speaking of which @R2D2 disappeared you have seen him around? I have not seen him more commented here in MT for a long time, I hope he is well.

 

[oldschool]

One would think the previous issues learned most LP users to not put all their eggs in one basket.

One would think that everyone might re-think their dependence on password managers generally, understanding that convenience has its costs.

 

[MuzzMelbourne]

I generally only use PW mangers for relatively unimportant sites and for general convenience.

Important information I keep in individually locked, and backed-up, notes.

 

[I Walk MY Way]

This is ones of these I locked the safe, and put the key in the safe to keep it safe, ho wait now i need to get back into the safe darn, lol last pass

 

[TairikuOkami]

One would think that everyone might re-think their dependence on password managers generally, understanding that convenience has its costs.

Indeed, people expect everything to work perfectly and they fail to imagine the worst case scenario, so they are like: How to restore my data, when I have no backups?!
Most accounts can be simply reset, but you need one important thing, the ability to login to the email, so if anything, keep that safe, plus a recovery code or a second 2FA.

 

[LiquidExploit]

I moved from LastPass to Bitwarden a long time ago after they crippled the free tier. Every few months LastPass seems intent on reminding me I made the right decision lmao

 

[piquiteco]

Indeed, people expect everything to work perfectly and they fail to imagine the worst case scenario, so they are like: How to restore my data, when I have no backups?!

The problem is that people rely too much on the cloud, if you had exported a backup, even in unencrypted .CSV format on a memory card or USB stick now it might be useful to import that backup.

 

[Jonny Quest]

The problem is that people rely too much on the cloud, if you had exported a backup, even in unencrypted .CSV format on a memory card or USB stick now it might be useful to import that backup.

And we can password protect an excel file itself.

 

[piquiteco]

And we can password protect an excel file itself.

Exactly, I hadn't even thought of that, good point @Jonny Quest should the file fall into the wrong hands it will still have a password.

 

[Lightning_Brian]

Hate to say it folks.....but I pulled out from LastPass. The recent stuff that happened....Yeah couldn't do it anymore.

I'll be updating my security setup notes when I get around to that, but no more LastPass for this dude. Granted LastPass is better than some other solutions out there.. I just lost my own personal trust in em'. Sticking it out with Bitwarden, RoboForm, and Sticky Password. They all have some cool and unique features. Bitwarden has been my go to now for a bit. More and more of my clients from a consultative side of things are making the swap too.

 

[Ink]

LastPass has been going downhill since 2015. Long-term LastPass users have ignored all the warning signs, and they will continue to sleep on this latest snafu.

On October 9, 2015, GoTo acquired LastPass for $110 million. The company was combined under the LastPass brand with a similar product, Meldium, which had already been acquired by GoTo.

Other incidents

• 2011 security incident
• 2015 security breach
• 2016 security incidents
• 2017 security incidents
• 2019 security incidents
• 2020 security incident
• 2021 third-party trackers and security incident
• 2022 customer data and partially-encrypted vault theft

Link: LastPass - Wikipedia

Edit:
If I recall correctly, the LastPass Authenticator requires users to log into their LastPass account to access codes. (?)