LastPass users furious after being locked out due to MFA resets

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,681
LastPass password manager users have been experiencing significant login issues starting early May after being prompted to reset their authenticator apps.

The company first announced that users might need to log back into their LastPass account and reset their multifactor authentication preference due to planned security upgrades on May 9.

However, since then, numerous users have been locked out of their accounts and unable to access their LastPass vault, even after successfully resetting their MFA applications (e.g., LastPass Authenticator, Microsoft Authenticator, Google Authenticator).

Compounding the problem, affected customers cannot seek assistance from support since reaching out to LastPass support requires logging into their accounts which they can't do because they're locked in an infinite loop of being prompted to reset their MFA authenticator.
 

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,516
Compounding the problem, affected customers cannot seek assistance from support since reaching out to LastPass support requires logging into their accounts which they can't do because they're locked in an infinite loop of being prompted to reset their MFA authenticator.
This happened to me with my Cable tv company, mobile provider, internet provider, gas company, insurance company, bank, ex wife, pet food provider.
 

piquiteco

Level 14
Oct 16, 2022
624
One would think the previous issues learned most LP users to not put all their eggs in one basket.
But it has happened to @R2D2 he was with eggs all in one basket literally of course. He said it took more than two weeks resetting the passwords and MFA, speaking of which @R2D2 disappeared you have seen him around? I have not seen him more commented here in MT for a long time, I hope he is well.:)
 
Last edited:

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,511
One would think that everyone might re-think their dependence on password managers generally, understanding that convenience has its costs.
Indeed, people expect everything to work perfectly and they fail to imagine the worst case scenario, so they are like: How to restore my data, when I have no backups?!
Most accounts can be simply reset, but you need one important thing, the ability to login to the email, so if anything, keep that safe, plus a recovery code or a second 2FA.
 

piquiteco

Level 14
Oct 16, 2022
624
Indeed, people expect everything to work perfectly and they fail to imagine the worst case scenario, so they are like: How to restore my data, when I have no backups?!
The problem is that people rely too much on the cloud, if you had exported a backup, even in unencrypted .CSV format on a memory card or USB stick now it might be useful to import that backup.
 

Lightning_Brian

Level 15
Verified
Top Poster
Content Creator
Sep 1, 2017
742
Hate to say it folks.....but I pulled out from LastPass. The recent stuff that happened....Yeah couldn't do it anymore.

I'll be updating my security setup notes when I get around to that, but no more LastPass for this dude. Granted LastPass is better than some other solutions out there.. I just lost my own personal trust in em'. Sticking it out with Bitwarden, RoboForm, and Sticky Password. They all have some cool and unique features. Bitwarden has been my go to now for a bit. More and more of my clients from a consultative side of things are making the swap too.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,355
LastPass has been going downhill since 2015. Long-term LastPass users have ignored all the warning signs, and they will continue to sleep on this latest snafu.

On October 9, 2015, GoTo acquired LastPass for $110 million. The company was combined under the LastPass brand with a similar product, Meldium, which had already been acquired by GoTo.

Other incidents
  • 2011 security incident
  • 2015 security breach
  • 2016 security incidents
  • 2017 security incidents
  • 2019 security incidents
  • 2020 security incident
  • 2021 third-party trackers and security incident
  • 2022 customer data and partially-encrypted vault theft
Link: LastPass - Wikipedia

Edit:
If I recall correctly, the LastPass Authenticator requires users to log into their LastPass account to access codes. (?)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top