What you need to know right now about LastPass and phishing


Written by:

Recently, cybersecurity researcher Sean Cassidy revealed a phishing tool called LostPass that he developed to attack password manager LastPass. LostPass was even able to bypass 2-factor authentication, raising security concerns among the many loyal LastPass users.

If you are a LastPass user, don’t panic…yet. To be affected, the LastPass user had to visit a malicious website. LastPass was having a technical issue that allowed the malicious webpage to make it appear that the user had logged out, and when the user clicked on the new login button–in reality a false banner created by the attacker–it sent them to a new screen which looked identical to the LastPass login screen. They were then prompted to login using their LastPass master password, and the password was sent to the hacker’s server, providing access to all of the user’s information stored in LastPass.

Abine’s security professionals want to be sure that you stay safe online to protect yourself and your online privacy.

The bottom line from our experts: always be sure of a website where you are entering your password and login credentials. If you have any doubts, with Abine’s product Blur you can visit https://dnt.abine.com and verify that the green lock in the URL bar has the same address: https://dnt.abine.com. When logging into a new page, always be sure that the address on this green lock matches the address of the page you believe you are visiting.


Make sure you are not logging into a malicious website by verifying the address on the green lock.

Remember to keep your passwords strong and unique for each website, and use Masked Cards or Masked Emails when you aren’t sure about a website to protect your credit card information, email address and your online privacy.

One Reply to “What you need to know right now about LastPass and phishing”

  1. Righteous Indignation says:

    Wow, I am embarrassed…

    Not only did I just sing their accolades on their face book page, for their part in watching my real identity when it was compromised 2 years ago, having just wrapped up the investigation successfully, but just hours ago, I removed from my browser history 2 last pass entries that were just a jumble of random letters. I only remember it being an issue having something to do with Chrome Browser and Extensions needing an update…

    Where the hell was the notification from them? When their servers were attacked within the last year we were notified, through the extension, app, and email what transpired, and they came out champs on that…

    Your post is THE FIRST I’ve heard of this vulnerability, and I only saw it because I’m, at this very moment, having an issue with face book saying my Blur Masked phone number is “not valid” as a contact phone –

    What gives with THAT, Blur?!

    – and was coming to your FB page to send a note about that when I happened to see this article about Last Pass being acquired by LogMeIn (WTH???!!) another bit of info I’d not yet received from LP, and while reading it, glanced at the clickable article titles and saw the above article and now here I am… freaking out just a bit

    Time for a bit of de-stressing. Cheers.

Leave a Reply