LastPass, the password manager service, has faced widespread login problems since early May as users were instructed to reset their authentication apps. The company initially announced the need for users to log back into their LastPass accounts and reset their multifactor authentication (MFA) settings due to planned security enhancements on May 9. However, numerous users have found themselves locked out of their accounts and unable to access their LastPass vaults, even after successfully resetting their MFA applications such as LastPass Authenticator, Microsoft Authenticator, and Google Authenticator.
Adding to the frustration, affected customers have been unable to seek assistance from LastPass support since contacting support requires logging into their accounts, which they cannot do due to being caught in an endless cycle of MFA resets. Users have expressed their concerns and difficulties on various platforms, highlighting the inability to log in, failed password resets, and the inability to contact support for assistance.
According to LastPass, the MFA resets were announced through in-app messages several weeks before the initial announcement. LastPass has released multiple advisories regarding the security upgrades, explaining that these measures were implemented to increase password iterations to a new default of 600,000 rounds. LastPass uses a stronger-than-typical version of the Password-Based Key Derivation Function (PBKDF2) to enhance the security of users’ master passwords and protect against compromising attacks.
The company has provided detailed instructions on how to reset the pairing between LastPass and the authenticator app, as well as the steps required to re-enroll in multifactor authentication. Users will also be prompted to verify their location and re-enter their login credentials when logging into websites or apps using LastPass.
LastPass stated that after security incidents in 2022, they sent emails and in-product communications urging customers to reset their MFA secrets as a precautionary measure. However, some users failed to take this action, prompting LastPass to implement in-product prompts in early June to encourage compliance.
These login issues follow a security breach disclosed by LastPass in December 2022, where threat actors obtained partially encrypted customer information and password vault data. The breach was a result of an earlier incident in August 2022, where attackers gained access to LastPass’s encrypted Amazon S3 buckets using stolen data from the initial breach.