Cassidy said he discovered a phishing attack against LastPass that allows an attacker to steal a LastPass user’s email, password, and two-factor authentication code.
This will give the attacker full access to all the victim’s passwords and documents stored in LastPass.
“I call this attack LostPass,” said Cassidy. “LostPass works because LastPass displays messages in the browser that attackers can fake.”
“Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference. It’s pixel-for-pixel the same notification and login screen.”