LastPass’s attempts to clean up after security breaches isn’t going so well. At least, not for users. Some customers are getting locked out of their accounts after following LastPass’s prompt to resync their two-factor authentication—and they’re rightfully angry.
The story goes like this: In 2022, LastPass announced two major security breaches. During the first, which was revealed in August, source code and proprietary technical information were hijacked. A second breach led to customer data being stolen, including password vault data, some of which was stored unencrypted.
Customers were notified in December 2022, and at that time, LastPass recommended that users reset their 2FA secrets for authenticator apps like LastPass Authenticator, Google Authenticator, Microsoft Authenticator, or the equivalent (e.g., Authy) as a precaution. Then in May of this year, the company began to prompt customers who hadn’t yet made this update to do so.
LastPass
But as Bleeping Computer reports, following LastPass’s instructions can lead to account lockouts. Multiple users in LastPass’s forums have stated they can’t login after resetting their 2FA secret—and until June 26, they also had no way of contacting support. Premium users had to log into the site to submit a support ticket, and free users simply lacked access to “personal” one-on-one support. Neither group could get help.
If you’re stuck in this situation, LastPass now has a special customer service page for you. Should Option 1’s SMS recovery method not work, scroll down to Option 2 and click on the red Contact support button to begin filing a ticket.
As you wait for a response, you may be able to troubleshoot the problem yourself as well—if you seem to be running up against error messages related to a wrong password. Look for a location verification email in your Inbox or Spam folders. If your security email is different than your login email, check that email address for the email. Click the link in it to verify your IP address. You can tell if you’re locked out due to location verification based on the style of the denial message (see below).
When location verification is required, the login error message appears above the login form. When you enter a bad password, the error message appears below the login form.
If LastPass isn’t recognizing the new 2FA codes, and you haven’t yet deleted the last secret from your app, try the older codes.
Unfortunately, if these steps don’t help (or if you’re locked in an ongoing cycle of authenticator reset notifications), you’ll have to wait for LastPass’s assistance. With the new direct line of customer support for this particular issue, it will hopefully happen faster—on June 20, one user reported being locked out for five days with still no contact from LastPass.
In a statement to Bleeping Computer, LastPass says its prompts for users to resync their 2FA secrets began appearing in early June, in hopes of getting more response. Earlier emails had been sent in March and April 2023 to remind customers. (A check of a PCWorld test account with LastPass does not show a record of these emails, so not all users may have received them.)
If this whole situation seems too messy, you can still leave LastPass—as others have already done. It’s not difficult and takes very little time, as we explain our guide on How to export your passwords and ditch LastPass. Need a suggestion on where to jump ship to? Our list of the best password managers can point you in the right direction—and it includes free options.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsBit.us is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
