LastPass is an online password manager, which helps users keep track of their passwords and generate new ones for each account. The program also offers mobile apps and two-factor authentication (2FA) to protect users’ accounts in the event of a breach.
LastPass has a free version for basic functionality, but its premium plans offer additional features such as multi-device support and the ability to access a vault offline. LastPass is popular among security enthusiasts and tech professionals, but it’s not without its flaws. As a result, many LastPass users are frustrated after finding themselves locked out of their accounts.
The issue appears to stem from a reset of the LastPass authenticator app in May 2023 that was designed to implement “planned security upgrades.” While users were informed of this change in an in-app message and email, they were not explicitly told how to recover their accounts after the reset, which is why so many have been stuck in what Bleeping Computer describes as an “infinite loop” of being prompted to reset their MFA authenticator.
In a blog post, LastPass explains that the reset was necessary due to a recent hack that allowed hackers to snoop on encrypted files containing email addresses, password-reminder hints, and other information relating to master passwords. It says password vault data, however, was not exfiltrated.
This type of attack is known as credential stuffing, and it allows bad actors to use usernames and passwords that have been leaked in a data breach to try to log into other accounts. It is possible that this is how the attackers gained access to LastPass customers’ accounts in December 2022, but this is yet to be confirmed by the company.
While the latest incident is a big headache for affected users, it’s not the only problem that LastPass has faced recently. The password management service was also hit by a bug in 2019 that could’ve exposed user passwords through its browser extension.
LastPass offers a number of ways to help users keep their accounts secure, including 2FA, a passphrase, and a tamper-proof password generator. The service also lets users add trusted users to their accounts who can access passwords and login details in the event of a loss or theft of an account.
The software is available for Windows, Mac, and Linux computers, as well as iOS and Android phones and tablets. The password manager can also be accessed on smartwatches.