LastPass users targeted in phishing attacks good enough to trick even the savvy
Password-manager LastPass users were recently targeted by a convincing phishing campaign that used a combination of email, SMS, and voice calls to trick targets into divulging their master passwords
It happened again, but this time on the user side of the house. LastPass users targeted by #vishing attackers.
VISHING: the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
I canceled #lastpass premium years ago (while they were part of #logmein), then they spun off or something and guess what - my premium subscription was reinstated 😡
I've successfully had the charges refunded by my CC at least 2 years now and the charge appeared again for this year.
I signed into LastPass and sure enough, a premium subscription was again associated with my account. I canceled it - again.
Did LastPass send me a cancellation confirmation email? No. Is there a way for me to
Am I going to try and get a refund of premium this year? No. Does that mean I'm acknowledging that I made the purchase? Hell no. It's simply that #lastpass makes it a real pain to get a refund from them and the #creditcard companies don't make it much easier. I'd spend more "money" in time than I'd get back from disputing.
But...anyone know a good class action #lawyer if this happens next year? 🤬
In 2021 I cancelled my #LastPass subscription & migrated. I deliberately, & carefully, deleted my credit card information & all passwords from the account. I received email acknowledgement, & then I forgot about it.
That was a mistake.
Turns out, they continued to charge me. Every year. Even increased the fee.
Haha while #Apple lobbyists are trying to convince the EU Commission that they are the only party in the world capable of running a secure app store, a fraudster uploads a fake #LastPass app.
“Furthermore, #LastPass added that it will also start checking new or updated master passwords against a database of credentials previously leaked on the dark web to ensure that they don't match already compromised accounts.”
Wow, I really hope that they don’t choose the most straightforward approach to implement this feature. Given their security track record they actually might however, and it will be a disaster.
Unless they implement it as some kind of client-side check, this will weaken master password security massively. Such lookups require unsalted hashes, and sending out your master password like that to any remote party is bad. As in: really bad.
Ok, I checked how the #LastPass credential monitoring feature works, presumably it will be used for master passwords as well in future. I didn’t bother downloading the current LastPass version at this point, I’m looking at the one from May last year.
Edit: I previously stated that hashes of passwords were being sent to a LastPass endpoint. I misinterpreted the code here however – it hashes usernames, not passwords. Also not great but far from being the disaster that sending hashed passwords would have been.
Farewall Lastpass (premium), it was a rocky ride. I was 2 years late to delete my dormant account anyways.
I had migrated to self-hosted and dockerized Vaultwarden ( Open source alternative @bitwarden backend ) last year, along with official clients. Loving the overall experience so far!
@tailsy@keirFox also, if you used #LastPass and had its password stored, it’s best to change all your passwords too.
The breach was something huge. Every vault backup leaked, not everything is encrypted. URL, last visit (at time of breach), if it was auto-generated or not, and a few other fields. That’s really not “zero knowledge” when non zero fields are in the clear.
It’s a stretch to tell anyone be the target. It’s a non zero chance now that it’s leaked. A matter of time.