Everyone who is taking online security seriously today is using a password manager of some sort. It is impossible to follow the recommendations of having different passwords for all websites and services without using some sort of tool to remember your passwords. Some people use their browser for this, but that isn’t a very secure solution. That is also why the competition among password managers has grown rapidly in recent years.
LastPass is one of the most famous password managers and I have been using it myself for years. I really like it and enjoy using it, and if you only want to use it on your computer, you can actually have a great time with the free version.
But, there are a couple of things that a VPN cannot protect you against, and neither can a password manager. Do you know what that is? Human stupidity, bad decisions, and a few minutes in which you lack concentration!
LastPass phishing email.
A few years ago, I received an email from “Netflix” telling me that my subscription had been canceled. I quickly clicked the link and logged in to my Netflix account. But, when I had logged in I quickly understood that something was wrong because not even the address was correct. In a few seconds, I went to the real Netflix website and changed my password, and made sure to make Netflix log me out from all other devices.
This could have been an ugly case in which some people would suddenly sell my Netflix subscription on eBay or maybe try to use the same username/password combination on other services.
Since then, I am trying to pay better attention, but it is so easy to make mistakes, even though you know all about phishing emails and other scams/hacks.
Do I really want to delete my LastPass account?
Yesterday, I was looking around on my LastPass account as I wanted to look for different functions. I also did so as I wanted to compare it with NordPass, a different password manager that I am trying nowadays.
Today I received an email that I have requested to delete my NordPass account. Had I clicked some wrong button yesterday as I looked around on the website? For 10 seconds I actually got a little bit worried (and I even forgot that the email was found in my junk filter). Luckily, I came to my mind before doing anything stupid, and when I later hovered my mouse above the link, I noticed that it wouldn’t take me to the LastPass website, but to some other site with a similar address.
As you can see above, the email is quite spammy and there are lots of warning signs. But, if you are in a hurry, you might feel a little stressed, then you might actually end up clicking the link saying that you want to delete your LastPass account.
It might be that clicking the link won’t hurt you (or your computer), but you should anyway be careful just clicking such links. If you still visit the website, the real problems will occur as you type in your username and master password in order to confirm that you do not want to delete your LastPass account. At that moment, the hackers will get access to your account and they can start to harm you.
It might be that you will be lucky, even if you have “given away” your username and password. LastPass normally uses a procedure that will require an email confirmation if someone tries to log in to your account from an unknown IP address. However, that isn’t always so, meaning that this isn’t something you can really trust will happen.
If you have done the mistake already, try to change the master password of your account as quickly as possible and log all users out from your account.
But, you should also go to the advanced options in your LastPass account and take a look at your LastPass account history. There you can see the most recent logins to your account and other pages that have been visited. This will give you a feeling about whether or not someone has actually accessed your account. If you find the log to be empty (or only your most recent login can be found there), then someone has logged in to your account and removed the log history.
Did someone access your LastPass account for some minutes?
You have changed your master password. Your LastPass account should be safe. Is everything fine now?
If someone actually accessed your LastPass account, do not forget that they probably found the password to your email address among the stored passwords. With this in hand, they could quickly request an export of all your LastPass passwords. When this is done, it has to be confirmed by clicking an email sent to your email address. But, since they have that password ready, this can be done within a few minutes. Afterward, they can delete the emails from your provider, and thus, you have no clue about what just took place.
Even if you have changed your master password, the hackers might have a downloaded file in their hands with all your passwords from LastPass. That is an ugly thought, isn’t it?
Maybe they didn’t export all your passwords, but they could still have copied all sorts of usernames and passwords from your account.
If you suspect something like this might have happened, call in sick for work the next day, because you have a lot of passwords to change on all the different services that you use.