Lastpass Phish?

Received an email today about the LastPass security incident, allegedly from LastPass, with instructions to go to a website and verify my identity, change my master password.

HOWEVER:

I am not a LastPass user
The website the email sends me too has unverifiable credentials for SSL
The extended email headers do not identify the sender as LastPass

Otherwise looks very authentic :frowning:

So I reported it as a fraud site via Opera

But I may have tried and discarded Lastpass at some point in the past, so ?

Nice way to get all your user names and passwords.

I too donā€™t use LastPass and this is just just one reason why I wonā€™t trust my passwords to an on-line resource. Iā€™m a trusting sod, NOT.

You may have signed up for them and they have had a problem with a possible security breach.

Funny thing is, I noticed someone put this news in the security board and signed up for the service AFTER this happened. http://blog.lastpass.com/

sded, being a lastpass user, Iā€™m going to report this on LP forums if you donā€™t mind.

edit: yeah, I got such an email too, but as said being an lp user Iā€™m not surprised.

Sure; no problem. The site is https://lastpass.com/status.php and the attachment shows what Opera says about it.

jesus, their forums are down from here, or hardly responsive atmā€¦

I donā€™t think this is phishing, I just got an email from them as well, and chrome doesnā€™t show that their certificate is untrusted.

I just mailed someone from the LP team, will post back here as soon as I got an answer. The cert is legit on my side as well. Still doesnā€™t explain why sded got the mailā€¦

This is legitimate ā€“ We emailed everyone who had an account, active or not ā€“ delete your account if not activeā€¦

okay no problem on my side but why did sded get a mail ??? ā€¦ he didnā€™t mention he ever was an LP user in the pastā€¦

He said that he may have tried to sign up a while ago.

But I may have tried and discarded Lastpass at some point in the past, so ?

Just because he stopped using the software, doesnā€™t mean that his email address wasnā€™t in their system anymore.

oh okay that was edited and I missed itā€¦ either he registered or didnā€™t. Thereā€™s no such thing as ā€œtry itā€ first and then discard it with LP. Thereā€™s a premium version, but the common version is free and is not time restricted, even if you donā€™t use it.

edit: I just sent a link to sded if he wants or needs to delete his account.

Now perhaps lastpass will fix their SSL certificate trust issue somewhere along the way also. Even if I have an account I donā€™t trust the site, since Opera told me not to. But I will look for and cancel my account if I can get them to send me a password again. :slight_smile:

Maybe you havenā€™t updated your root certificates for your computer in a while???

Updated certificates with current Opera 11.10 . FF also makes a remark about untrusted (class 2) CA, but nothing as dramatic as Opera. Appears to be good for encryption, but not everyone agrees it should be trusted.

yeah Chrome that uses Windows certificate storage shows the sameā€¦ remains to find out how critical is critical ;D

I sort of forgot that I use starfield communication certificates (division of godaddy/certificatesforexchange.com?) for my exchange server here at work, so itā€™s possible that their certificate is already installed as a trusted root for me, which is why Iā€™m not getting any certificate errors on that site.