Solved! My Gmail And LastPass Were Hacked, Should I Delete Them Both?

Status
Not open for further replies.
May 6, 2018
5
0
10
Hi, I've recently had a nightmare where both my Gmail and LastPass accounts were hacked and now I'm wondering whether I should delete both accounts and not use them again?

I'm not sure which was hacked first but I woke up one morning to find notifications on my phone from Gmail and LastPass saying my passwords had been changed and someone was attempting access. I then went to my PC to log into my Gmail and found I couldn't get in as the password had been changed. More worryingly though, I couldn't log into my LastPass account as both the master password and my email address had been changed. This gave the hacker complete access to every site and service I used and my banking and card details.

I have managed to get back into my Gmail account now but my LastPass is still not working due to the email address change and it's showing me as an unknown user. Luckily I had gone to the bank and put a stop on my card (found that someone had made some purchases already on my card but those were cancelled and the money refunded) and they have sent out a new card to me. I've also had to order a new sim card for my mobile as the hacker also has my mobile number and so I want to change it.

I couldn't get any help from LastPass other than articles on their site suggesting I try to revert or reset my master password or if my email address has been compromised, to set up a new account and start to change all my passwords for the sites I use (which I had done anyway regardless of using LastPass). I have opened a support ticket with them but they've been very slow to respond and haven't offered any help other than links to those articles I mentioned.

I don't understand why they didn't block access to the account straight away seeing as the person trying to gain access was from a completely different country (or supposedly so, he was using IPVanish) and had a different IP address than mine. Instead they just sent notifications to me overnight while I was in bed and left it up to me to sort out, meanwhile granting access to the hacker to be able to change my password and email address.

Anyway, I don't think I'll be using LastPass again and wondered if I should close my Gmail account as well? I have set up a new email account and changed all my passwords for everything and used much stronger passwords but I don't feel comfortable trusting LastPass or any password manager to keep my passwords and banking details safe anymore.

I did some anti virus and anti malware scans btw and they showed nothing on my computer. I use Windows Defender and Malwarebytes Premium and they have real-time protection and I have never had any problems before so I'm not sure how the hacker was able to get my information. Perhaps there was a site leak someone that exposed my email address and password?

Any advice on this would be much appreciated.
 
Solution
Problem is , if gmail gets compromised, and that's your LastPass authenticator, then someone can change LastPass as well.....solely by the compromised gmail....

Once they claim 'forgot password' to Lastpass via gmail, they are in....to everything...

Open a outlook address for an MS acct.....

Pick a secure password.....16 characters! not the same as anything else.....

Open a new Lastpass account with a 16 character secure password... w/special characters, numbers, caps, etc....link that to your Lastpass....

Gmail gives notifications if new comps are used for logins....you don't respond/complain in time, *then they are in*.....

Again, it is not Lastpass that was compromised...

It was your email.....used to change Lastpass...

There...

mdd1963

Distinguished
Much more likely is an email/password leak at any other service, and, someone trying teh same password at Google Mail, and, if successful, then attempting the same email/login combo to LastPass......especially if Google/gmail was your notification on LastPass.

Or, a compromised PC allowing monitoring/access might have been used. Be very careful of trusting any emails telling you of compromises, as sometimes they feed you false links actually resulting in the compromise in your hasty attempts to login from a hostile source's links. (Not always are they stupid enough to tell you, "Unfortuntely, it appears your account has been accessed from xxxxxx" Trust no one.....and trust no email message definitively....

Go do all your financial/account related business on a known to be uninfected PC.

Nuke and pave yours to be safe, full wipe and reload....
 
May 6, 2018
5
0
10
Thanks for the replies. I think I will do a fresh install of Windows on my PC and format the hard drives just to be safe. I have now set up new email accounts and I will close my old Gmail account. I have changed all my passwords and used strong passwords made up of a mixture of letters, numbers and characters. I am going to save them in a list on an encrypted USB stick and not bother with any password managers at all, I really don't trust them now after seeing how easy it is for a hacker to get access and change the login information.

I'm really disappointed with LastPass. It seems their policy (along with Google) is to make people aware of suspicious activity and login attempts but to not actually do anything about like putting a block on your account. They just leave it up to you by saying "just so you know this IP address from this location tried to access your account, if it was you then don't anything and if it wasn't you might want to change your password" but at no point do they actually bother to do anything themselves.

I wasn't aware of what was going on because it was happening overnight while I was asleep and I didn't see the notifications on my phone till I got up later that morning, by which point it was too late. It just seems crazy to me that if someone with a completely different IP address and location to you or what is normally used to login is allowed to gain access and go about the various resetting and changing of passwords and login information processes without being blocked at all and companies like LastPass can get away with doing nothing by saying "Well we sent you a notification". For goodness sake, the IP address that got access even said it was from IPVanish.com!!

Anyway, sorry about that rant. I'm just really stressed about this whole thing. Sorry to answer your question helpstar, yes it was a strong password and a mixture of letters, numbers and characters. The hacker wasn't able to guess or find out the password, when I got back into my Gmail account I saw I had received emails from LastPass where the hacker had requested password reminders (I never used any so that proved fruitless and just showed a blank box where the password reminder should be). But this didn't matter anyway as the hacker was able to request a complete reset of the password and I have an email from LogMeIn with a link to change the password. This is how the hacker was able to change it and then subsequently change my email address that was associated wit LastPass and then get full access to everything I had entrusted them with.

I couldn't then log into LastPass to change the password or anything as my email address was no longer valid and it just kept saying it was an unknown address. I tried to reach out to LP with a support ticket but they just keep sending me links to articles I have already seen about the processes of reverting, resetting or changing your password. In the event of your email being compromised (like mine) it just says to create a new LastPass account and then start setting up new passwords for everything you had prior to the hack. This seems completely pointless as why would you ever use or trust LP again? and your old account is still out there being used by someone else only under different credentials.

I have asked them to delete that account and even managed to provide them with my user ID number and proof of my last two payments for the service but they just keep saying to set up a new account (which I have done) or I can delete that account and completely missing the point that all this does is remove the new account while still leaving the old account open.

Anyway, I'm pretty much done with LastPass at this point. I am waiting for my new bank card to arrive and I have also had to get a new sim card and change my mobile number so I can then set up two factor authentication with a clean number. As I said, I am going to delete this old Gmail account and LastPass and just use my new email address from now on (I set up a couple with different providers and I am using one as a backup). I will also format my computer and re-install Windows 10.

Sorry to have repeated myself a bit there from my first post. As you can imagine, this has been a nightmare but also a wake up call. I'm in limbo a bit till I can get my new bank card and sim card but I think I will still go ahead and close this Gmail account and reinstall Windows, just to be safe.

Thanks for the advice.
 

mdd1963

Distinguished
Was GMail your LastPass authentication address for notifications?

Was your gmail password used *anywhere* else, not that that would matter if it was your contact info for LastPass...; which makes your email and it's password used for LastPass authentication just as critical as LastPass itself, as once compromised, LastPass quickly follows....

I don't think Lastpass was compromised, but, your Gmail was, which allowed Lastpass changes.

if you truly don't trust any online password managers, there is always an encrypted alphabetized notepad document, essentially Keepass at that point...

 
May 6, 2018
5
0
10
Yes Gmail was my LastPass authentication address but its password and LastPass's were different. My Gmail password wasn't used anywhere else, in fact a couple of days leading up to the hack I had been changing all my passwords myself including Gmail's (but unfortunately I hadn't got round to the LastPass password yet). I had decided to stop using LP anyway as I wasn't happy with it, whenever I would use it to update or change/generate a new password, it would fail to update the vault properly and so I would have a new password and no record of it in LP and thus unable to log in. I found myself creating a password, copying it to Notepad, changing a website's password I used and then manually updating the vault record in LP. I just thought what's the point in me even using LP seeing as I'm doing everything myself?

I had gone through all of the vault passwords I had stored and changed them all but hadn't changed LP's master password as I planned on deleting the account anyway a few days later. I think that's why since regaining control of my Gmail account and going through all the websites I use and their passwords, the only ones that had been changed were LP and Gmail.

I'm still trying to figure out how my Gmail account was compromised in the first place. I had got a pop-up on my iPad telling me I was locked out of my account and needed to log back in which I have never experienced before. Around the same time I had also received emails from who I thought was Apple informing me of a similar thing. I checked the from email address on Google to check it was genuinely Apple and it seemed to be real but I didn't click on the link. Instead I just signed into my iPad as normal which seemed to unlock the account, I then went about changing the password as I was suspicious. Perhaps that was the initial mistake I made? I don't know, it could be any number of things that caused my account to be compromised.

I think you are right and Gmail was compromised first, followed by LP but once someone has control of your main email account, it's very easy for them to control everything else and reset passwords and emails at will. This is something I think is made too easy and perhaps if the IP address and location of the person attempting to gain access or change login details for Gmail or LP etc is completely different than the one normally associated with it or anything on the verified lists, then Google and LP should step in and put a block on it until such a time as you have verified it rather than just immediately sending out password reset links to the associated email address.

I agree perhaps there were errors on my part but these companies know that most people will not be that internet savvy (and I am probably more so than most of my friends and family) and will not understand about having strong passwords and different ones for every single site they log into and particularly for their main email address (I would imagine most people just have one). These big companies have the technology to track people's IP addresses and it must be possible for them to differentiate between a regularly used one and a brand new one that's never accessed the site before or is from a completely different location. It seems they can use the notification system as a loophole to say they have warned you about suspicious activity and now it's up to you to sort it. I think the onus should be on them as the first line of defence to block such activity and stop it in it's tracks. At worse this will inconvenience the user from getting access to their own account without first verifying they know the IP address and location of the person accessing it or that it is themselves but at best this will stop any hackers from easily accessing an account and immediately changing passwords etc. People can't be expected to always be aware of any notifications received on their phone or computer etc for various reasons, sleeping being a main one and to some extent they are incapacitated from being able to intervene and verify their account or stop any access or changes being made.

At the moment my plan is to not have any password manager or my passwords stored on my computer at all. I am also going to try to use two factor authentication where available and make sure all my passwords are as strong as they can be. I know I will never be truly safe but I am just trying to mitigate the risk as much as I can. I think at the moment I am still in a bit of shock and perhaps slightly overreacting but for my own piece of mind I need to take much more stringent measures.
 

mdd1963

Distinguished
Problem is , if gmail gets compromised, and that's your LastPass authenticator, then someone can change LastPass as well.....solely by the compromised gmail....

Once they claim 'forgot password' to Lastpass via gmail, they are in....to everything...

Open a outlook address for an MS acct.....

Pick a secure password.....16 characters! not the same as anything else.....

Open a new Lastpass account with a 16 character secure password... w/special characters, numbers, caps, etc....link that to your Lastpass....

Gmail gives notifications if new comps are used for logins....you don't respond/complain in time, *then they are in*.....

Again, it is not Lastpass that was compromised...

It was your email.....used to change Lastpass...

There is an important difference....

No idea how email compromised at all? short/easy password? Password for Gmail used elsewhere...? any chance you fell victim to a phishing scam, 're-enter your details to confirm' scam, etc..?

No real need for LastPass, but, with so many folks with what can quickly grow to 30 accounts, etc., the loss of even one important account used for authentication makes that one especially important...

(I use an encrypted Notepad doc with all accounts alphabetized, and use password hints to jog my memory, not the actual password....and, encrypted on top of that....! store that in a free cloud acct...for backup, )
 
Solution
May 6, 2018
5
0
10
I think you're right mdd1963, unfortunately because my Gmail account got hacked first and that was the associated email address it was easy for the hacker to then get into my LastPass account. What's weird though is that in the days leading up to the hack I had been changing all my passwords. In fact I had changed my Gmail password just the day before. So far it seems the hacker was just after my bank card details as that seems to be the only thing that has been accessed to make a couple of small purchases (probably just testers to see if I did anything about it). None of my other passwords or login details other than Gmail or LastPass were changed (although I have since changed them anyway and re-installed Windows just to be safe).

I still don't know how it happened in the first place as I am always careful not to click on any links I am unsure of or anything unsolicited. Regardless, I have closed the compromised Gmail account and opened a new one and a Yahoo account, both with separate and strong passwords. As I have mentioned, I've also gone ahead and changed the passwords for everything else I use and set up the new Gmail address for my logins. I am going to encrypt a Notepad doc as you suggested and keep it on an encrypted flash drive away from my computer and probably keep print outs of my passwords and login details etc in a safe place in my home.

I should get my new sim card soon and my new phone number so I can then set up two factor authentication for everything that has it.

Is there anything else I can do to keep my details protected? I guess it's not a good idea to use things like Google Smart Lock or Chrome to remember my passwords? I have Malwarebytes Premium running in real time as well as Windows Defender but I don't feel comfortable with using another password manager really. I've also got Malwarebytes running on my Android phone too. Dunno if there's an equivalent or if I need anything for my iPad?

This has really spooked me and so now I want to make doubly sure I have done everything I can to keep my information safe and secure. I think I have taken necessary precautions but perhaps there's something more I can do.

Thanks for all the help so far, I really appreciate it.
 
Status
Not open for further replies.