Surely not again lastpass?

Feb 28 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’ll keep you reading like Joe Biden with his teleprompter… “Repeat the line”, folks.

Today’s hottest cyber security stories:

  • Thou Shalt not LastPass
  • iPhone theft + Apple ID leak = Kafkaesque nightmare for victim
  • Petting tracking apps prone to hacks! Don’t get snooped, dog lovers!


Modern living requires a lot of passwords and logins. As consumers, we have a choice to make. Do we stick with one trusty password for all platforms (not recommended, folks!) ala “Password123”.

Or alternatively, frantically try to remember countless different ones for the growing number of services and apps that, slowly but surely, have become essential components of our daily lives.

So, the smart consumer may opt for a password management app; that is, a one-stop service to keep track of all your various authentication passwords, codes, and passphrases.

Brilliant. One problem, though. What if the password management app gets hacked?

Well, that’s exactly what happened to popular password manager LastPass back in December of 2022 and, according to reports today, the same attackers have returned for a second helping. But will they pull it off or have will their first pass prove to be their LastPass. Only time will tell…

So, what happened in the first attack?

LastPass disclosed a severe data breach that allowed threat actors to access encrypted password vaults.  Not ideal.

Specifically, in August and November 2022, LastPass suffered two connected data breaches that resulted in confidential customer information to be compromised.

The August breach saw a malicious actor steal source code and technical information from LastPass’ development environment that was then used to target an employee.

As side note, LastPass is currently facing a class action lawsuit in response to this breach. But that’s neither here nor there.

What’s the latest?

One of LastPass’ DevOps engineers had their personal home computer breached and infected with a keylogger as part of a sustained cyberattack that exfiltrated sensitive data from its Amazon AWS cloud storage servers.

“The threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack,” the password management service said.

What’s the takeaway?

LastPass users are highly recommended to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already. No shit, Sherlock!


Apple: hAvE YoU TrIeD FiNd mY IpHoNe?

We don’t know about you but here at Gone Phishing, we thought, naively as it turns out, that the days of having your phone swiped were as dead as the dodo thanks to Find My iPhone, Two Factor Authentication, and all that other clever stuff.

Turns out, we were wrong! Well, sort of. Basically, as this recent story (hang on, we’re getting to it!) indicates, if the crafty criminal who swipes your smartphone has done his (or her!) due diligence, I.e., gotten ahold of their victim’s passcode (usually 4 numbers – not exactly hard to snoop), all bets are off, folks.

And not even our benevolent Gurus or Genius or whatever ridiculous name they’re giving themselves these days at Apple can help you!

That’s what poor Reyhan Ayas experienced when she had her iPhone 13 Pro Max stolen while she was out at a bar in Manhattan, NY. Bet she wishes she set up Touch ID now, huh?

She said she tried telling Apple but was repeatedly ask3ed whether she’s tried Find My iPhone which is, of course, literally the first thing she did off a mate’s phone the moment she realised it was missing.

While chatting with the so-called Geniuses at Apple, she watched $10,00 get drained from her account and watched the scammers successfully get approved for an Apple credit card. Jeez!

The support team “was not helpful at all,” Ayas said. She then called Goldman Sachs, which issues Apple’s credit cards, and was able to get some help. Goldman Sachs, FTW!


A lot of prudent pet owners are investing in ways to make sure they keep their furry companions out of harm’s way. What they may not have considered is the potential for phishing. But dw, we’re here to keep you in the know.

It’s a dog-eat-dog world out there!

Scott Harper, a doctoral student at Newcastle University’s school of computing, has just authored a study on the subject which is very enlightening but may be a case of tl;dr (Too long; Didn’t read, boomers!) so, here are some of the key points. Beam us up, Scotty:

“Pet tech, such as smart collars and GPS trackers for your cat or dog, is a rapidly growing industry and it brings with it new security, privacy and safety risks to the pet owners,” said Scott Harper, a doctoral student at Newcastle University’s school of computing and the lead author of the study. 

“While owners might use these apps for peace of mind about the health of their dog or where their cat is, they may not be happy to find out about the risks the apps hold for their own cyber security.

“We would urge anyone using these apps to take the time to ensure they are using a unique password, check the settings and ensure that they consider how much data they are sharing or willing to share.”

Dogfood for thought, eh? We’ll show ourselves out.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles