Running the security plugin “Wordfence” on Litespeed servers under their recommended settings can lead to your website experiencing performance issues and errors. This is due to incorrect advice by Wordfence when running with Litespeed.
The Possible Symptoms
Some symptoms of this issue may include the following:
When requesting your website it times out before the page is loaded.
cPanel shows the resource usage for CPU Usage and/or Physical Memory at 100%.
Requests become slower to complete.
The Cause
The root cause is the addition of either of the following in your .htaccess file which is located in your web root (for the primary domain of your cPanel account this will be inside the public_html directory).
# BEGIN LiteSpeed noabort
SetEnv noabort 1
# END liteSpeed noabort
or
# BEGIN LiteSpeed noabort
<IfModule Litespeed>
RewriteEngine On
RewriteRule .* - [E=noabort:1]
</IfModule>
# END liteSpeed noabort
or
<IfModule Litespeed>
SetEnv noabort 1
</IfModule>
The reason these may have been added by either yourself, your web developer or automatically by Wordfence is because these are the Wordfence-recommended settings when running Wordfence on the Litespeed Webserver.
When Wordfence is configured to update automatically and it fails, the following email is sent recommending that the above changes are added to the .htaccess file:
[Wordfence Alert] [example.com] Wordfence Upgrade not run. Please modify your .htaccess
This email was sent from your website “Example Website” by the Wordfence plugin at Monday 23rd of May 2022 at 02:28:13 PM The Wordfence administrative URL for this site is: https://example.com/wp-admin/admin.php?page=Wordfence To preserve the integrity of your website we are not running Wordfence auto-update. You are running the LiteSpeed web server which has been known to cause a problem with Wordfence auto-update. Please go to your website now and make a minor change to your .htaccess to fix this. You can find out how to make this change at: https://www.wordfence.com/help/?query=dashboard-litespeed-warning
Preventing the issue
In order to prevent this issue from occurring the directives defined within the .htaccess file would need to be removed or commented out. This will disable the rule in question and allow Litespeed to behave normally and abort PHP processes after the client has terminated the connection.
1) Open cPanel for your website. You can do this via WHM if you have a Reseller/Dedicated Service, or if you are a Shared Hosting customer, via your hosts portal after selecting the active Shared Hosting in My Services and clicking Login to cPanel from the left-hand menu.
2) Click on File Manager in the Files section of cPanel
3) Once you have File Manager open, navigate to the web root of your website. By default this is public_html in your home directory for the primary domain.
4) Ensure you can see hidden (dot files) in the File Manager settings by clicking Settings in the top right, ensuring Show Hidden Files (dotfiles) is ticked and then click Save.
5) Select the file named “.htaccess” and when it is highlighted click Edit at the top (if you get a pop up about encoding you can ignore this by clicking Edit again on the popup)
6) Look for the Litespeed entry (usually looking like one of the two quoted above in “The Cause” and add a # symbol to the start of any lines which do not already start with that symbol in that section only, for example:
7) Click Save Changes at in the top right and then click Close, you can then close the File Manager tab to return to cPanel for the account.
Warning
If your issue is currently ongoing (i.e. the account has high CPU and MEM usage) these steps alone will NOT suffice, the steps for Resolving the issue should also be followed to clear out any stuck PHP processes.
Resolving the issue
If the issue is currently ongoing, you’ll also need to clear any existing/hanging PHP processes which occurred as a result of this. To do so, please follow the steps below:
1) In cPanel navigate to select the PHP version under software:
2) Make a note of your Current Version of PHP then click on the drop-down box as shown:
3) Click on any other version and then click “set as current”, for example:
4) Click the drop-down again and select the version of PHP your site was on before changing it, and then click “set as current”.
Warning
Switching from one PHP version to another will essentially kill any remaining PHP processes that are running however you must ensure that the version is then switched back to prevent problems with site functionality.
5) To correctly set ‘noabort’ – only if you need it – it should be targetted, for example applying only to wp-cron requests:
ℹ️ Tip: For even better performance, and more reliable execution, consider calling wp-cron from the command line
Optionally, you can also prevent connection timeouts when performing long-running tasks in the WordPress admin – again, only if you’re suffering from a specific problem which requires it:
Why does this cause my website to become unreachable?
Servers run the Litespeed Webserver to provide better performance to serve your website. Additionally, to prevent other users on the server from causing any issues with your own website, they often run CloudLinux Lightweight Virtual Environment (LVE). This segregates the resources available to each cPanel account on the server, meaning one rogue site doesn’t have unlimited access to the server’s resources, potentially impacting other websites on the same server.
Essentially, each cPanel account has it’s own set of resources it can use. If it uses them up, it cannot then claim more CPU or memory from the server, as this would cause other sites to have less access to resources.
In normal operation, Litespeed Webserver will kill PHP processes which become orphaned from a browser request or that run for a long time because, in their own words, “generally, allowing a PHP script to run forever is not desirable“. If for example, a visitor closes the browser tab/window when connected to your site (in most instances) it makes sense to kill any PHP scripts that are running as a result of the visit. This also helps avoid bots or denial of service attacks from impacting your site.
Importantly, however, there are some instances where even if the initial web request connection is closed, you will want to keep PHP script running. Litespeed provides for this by allowing exceptions to be made. The full documentation here outlines the various exception syntaxes which can be implemented.
The change suggested by Wordfence (and in some cases added automatically by Wordfence) allows any PHP scripts to run forever if needed. It does not discriminate or narrow down any “allowed” scripts or requests, instead, it allows all requests to run without any time limit. In the above-linked documentation, Litespeed’s developers explicitly discourage this:
We know it is tempting to simply add noabort for all requests (.*), but we strongly suggest you do not do this. Adding noabort for all requests to .htaccess is not standard practice and may cause unintended consequences. For example, a site running in a Cloudlinux Lightweight Virtual Environment (LVE) that is hitting resource limits can become completely tied up. This is because LSWS is not able to abort any external app requests.
When this suggestion from Wordfence is implemented, any PHP scripts on your site which do not exit properly (which may happen for several reasons), are simply left running. Eventually, these PHP scripts add up in number and exhaust all of the resources available to your cPanel account meaning new web requests to your website cannot be serviced.
Wordfence support has been informed of this, but refuses to change their recommendations or documentation. We urge all Wordfence users to also contact Wordfence support and ask them to update their documentation.
Cybercriminals have set their sights on iOS users, using malware to steal face scans and gain access to Apple device users’ bank accounts. This is believed to be the first of its kind in the world.
A group of cybercriminals who speak Chinese, known as GoldFactory, have been distributing smartphone apps infected with trojans since June 2023. The latest version, GoldPickaxe, has been around since October.
GoldPickaxe and GoldPickaxe.iOS target Android and iOS devices respectively. They trick users into performing biometric verification checks, which are then used to bypass the security measures of legitimate banking apps in Vietnam and Thailand, where these attacks are focused.
GoldPickaxe and GoldPickaxe.iOS trojan targets Android and iOS devices respectively
The iOS version specifically targets users in Thailand, disguising itself as the official digital pensions app of the Thai government. However, there are suspicions that it has also made its way to Vietnam, as similar attacks were reported in the region recently, resulting in the theft of thousands of dollars.
Group-IB researchers noted that GoldPickaxe.iOS is the first iOS Trojan they have observed that combines various functionalities, such as collecting biometric data, ID documents, intercepting SMS, and proxying traffic through victims’ devices.
The Android version of the malware has even more functionalities than its iOS counterpart, due to the more open nature of the Android platform compared to the closed nature of iOS.
While Android malware is more common due to the ability to sideload apps, the discovery of iOS malware has surprised researchers because of the tighter security controls on Apple’s platform.
The Android infection was more straightforward, with malicious apps being available for download/sideload through a fake but seemingly legitimate Google Play store.
Researchers also found that the Android version had more disguises than the iOS version, posing as over 20 different government, finance, and utility organizations in Thailand, giving attackers more opportunities to deceive users.
Google And Yahoo New Email Authentication Requirements
The Google and Yahoo new sender requirements came into force on February 1, 2024. The goal? Make inboxes even safer and less cluttered with spam.
These new guidelines mainly apply to domain owners who send more than 5000 emails daily to personal accounts ending in @gmail.com, @googlemail.com, @yahoo.com, and @ymail.com. It’s worth mentioning that all emails count towards your daily email sending volume, regardless of their nature — marketing or transactional.
Both email service providers have set three main requirements to ensure email delivery: email authentication, easy unsubscribing, and a low spam rate.
Implement Email Authentication: DMARC for Google and Yahoo
All bulk senders are now required to set up SPF, DKIM, and DMARC for their sending domains.
Given the technical complexity of setting up email authentication protocols, complying with this requirement poses a significant challenge to anyone who is not very technical;l. Therefore, having this managed for you by Russ Michaels Consulting or partnering with a third-party vendor like EasyDMARC is your guarantee for a smooth implementation and hassle-free compliance.
To pass the new Yahoo and Google DMARC requirement, you should have a valid DMARC record with a policy of at least p=none. In terms of DMARC alignment, the current guidelines only require alignment with either SPF or DKIM. Using a policy of p=none is essentially an inactive DMARC policy that does nothing and will allow an unauthenticated email to still be delivered, so, we strongly recommend having full alignment with both SPF and DKIM and a policy of p=reject, which it’s likely to become a sender requirement in the near future.
If you’re unsure whether your domain has any of the mentioned protocols in place, a quick scan with our Domain Scanner tool will give you all the information you need.
At the same time, setting up DMARC reports with a RUA tag is also strongly encouraged by both Google and Yahoo. This will provide you with an overview of your domain’s email traffic, information about the status of SPF, DKIM, and DMARC authentication checks, and the source that sent them.
Make Unsubscribing Easy
Email users shouldn’t have to jump through hoops to stop receiving unwanted emails. Now, marketing and subscribed messages must support a one-click unsubscribe mechanism and include a clearly visible unsubscribe link in the email body. The second link, however, doesn’t have to be one-click.
In case the user opts out of receiving emails, the sender has to comply with their request and take them off the mailing list in a maximum of two days.
Stay Under The Spam Threshold
Spam rates should be kept at or below 0.3%, that’s a rate of 3 in 1000. Ideally, it should be under 0.1%. Future messages from your domain are more likely to be reported as spam if they are frequently flagged as such. Therefore, sending emails to people who want to receive emails from you and avoiding unsolicited messages is your best bet.
Additional Google and Yahoo Email Requirements
Some additional requirements include:
Ensuring that sending domains or IPs have valid PTR records.
Formatting messages according to the Internet Message Format standard.
Not impersonating Gmail From: headers.
Adding ARC headers to outgoing emails if you regularly forward emails.
Some of these new mandates apply to all senders, regardless of their email-sending volume. Here’s a comparison between the guidelines for senders of less than 5000 emails per day and bulk senders.
What Happens If You Don’t Follow The Requirements
The enforcement of bulk senders that don’t meet the new Google and Yahoo email requirements will be gradual and progressive.
If your emails don’t meet the required standards by the stipulated timeline, they will likely be flagged as spam or rejected by the recipient’s email provider. This could result in a significant decrease in the number of emails reaching your audience, affecting your communication and marketing efforts.
Non-compliance may also lead to damage to your sender reputation, which is essential for determining whether your emails should be delivered to the inbox, spam folder, or rejected.
Your Google and Yahoo DMARC Journey Made Simple
Email authentication with SPF, DKIM, and DMARC is an intricate process, but it doesn’t have to be hard. With my managed service or EasyDMARC, it’s easy!
The platform simplifies DMARC implementation with a user-friendly interface, making the setup process more accessible to users with various levels of technical expertise. They provide comprehensive guidance, walking you through every stage of email authentication and ensuring you have the knowledge and tools necessary for smooth compliance.
So, what are disposable phone numbers? These are virtual phone numbers that are not permanently assigned to a specific individual or device. Anyone can purchase a temporary number from a service provider online. It is not tied to a physical SIM card or phone line contract. Users of these phone numbers can receive SMS or calls via the provider’s app or website. We’ll go into the various reasons below why people would need to use disposable phone numbers and why you should beware of disposable phone numbers.
Why do people use disposable phone numbers?
Subscribing to online services can sometimes result in receiving spam through SMS or emails for several reasons. Phone numbers can also be used to track purchase or browsing patterns for online shoppers. Hence, the use of disposable phone numbers by privacy-minded folks or those who hate spam in whatever form.
It is possible to terminate or change the virtual number once it starts to receive spam if people are using these numbers. Some may even regularly change their numbers to avoid being tracked by online services.
When signing up for online services or platforms that require a phone number verification, users are still able to receive calls and text messages without revealing their actual phone number.
Risk of disposable phone numbers
While there are legitimate uses for disposable phone numbers, fraudsters also use them to conduct fraudulent purchases online and send out scam messages. Some websites use SMS One-Time-Passcode (OTP) to conduct identification verification before allowing a customer to make purchases. If the fraudster is using a disposable phone number, he or she can easily receive the SMS OTP and “verify” their identity.
The existence of disposable phone numbers has introduced a new dimension to the fraudulent order detection process. Most merchants will be unable to easily verify if the phone number being used is a temporary virtual number. As a result, they will experience much higher fraudulent order rates and stand to suffer major financial losses.
Due to the anonymous nature of disposable phone numbers, they are great for criminals to conduct their businesses. Law enforcement agencies will need to spend more time and effort, just to track the malicious individuals.
Ways to mitigate the risks
Online merchants need to be alerted when fraudsters use disposable phone numbers during the ordering process. It is advisable to perform additional verification measures such as email verification, address verification or multi-factor authentication.
As a rule, first-time purchases by a particular user (who can be identified by either email address, phone number or IP address) should invite thorough scrutiny of the user details given in the order. Merchants can also monitor transaction patterns such as many purchases within a short period of time (velocity checks) or abnormally huge order amounts.
Using a fraud screening solution works best when integrated into the online shopping cart. An automated solution can perform a very comprehensive screening of the order details. Details such as the IP geolocation vs. the shipping or billing address are a good way to unveil possible fraud.
With a system such as the FraudLabs Pro Fraud Screening service integrated into the order process, velocity checks are performed on all transactions. In addition, the blacklists being used can quickly sniff out habitual fraudsters by their emails, phone numbers, credit cards used and so much more.
Conclusion
Disposable telephone numbers certainly can give legitimate users some measure of privacy, thus enabling them to hide their activities from others. Unfortunately, criminals also benefit from the easy availability of disposable phone numbers. The same privacy shield afforded to legitimate folks can also obscure the nefarious activities undertaken by the bad actors.
As with all things, there will always be pros and cons when it comes to disposable phone numbers. Luckily for online merchants, they can rely on FraudLabs Pro to secure their website shopping carts from frauds. FraudLabs Pro does a great job of detecting and blocking orders using disposable phone numbers. Merchants using FraudLabs Pro can just sit back and relax as fraudulent orders are automatically rejected or marked for manual review.
Merchants not currently using FraudLabs Pro should note that there is a free Micro plan to screen up to 500 orders per month. They should, at the very least, use the free FraudLabs Pro plan to help weed out bad orders.
If you own a domain name that you do not use for sending emails, it is essential that you configure these domains correctly so that email servers around the world know not to accept emails from these domains.
Even if you are not using a domain to send email, without taking these steps, there is nothing to stop spammers any cybercriminals from sending spoofed email impersonating your domain, pretending to be from you and thus damaging your reputation.
This is very common for businesses to use one domain (such as yourdomain.com) for their website and email, but also own other TLD’s such as .co.uk, .UK, .net etc or alter spellings or variations of their domain, which are not used for anything.
Here are 4 simple things to do in DNS now to help protect domains that do not send email:
1. Create an SPF Record
In your DNS Management portal, create a TXT Record with the following value:
v=spf1 -all
This will tell email servers around the world that your domain name should not send any email, giving them an indication that emails from this domain should be considered spam.
In your DNS Management portal, create a TXT Record with the following value:
v=DKIM1; p=
This record will tell the recipient’s mail server that the email signature isn’t valid because it sees the key as “revoked”. The way we do this is by specifying an empty key. In normal DKIM records, there are additional fields, but they aren’t needed since we are trying to create an intentionally denied record.
Just when you think you’re reasonably on top of all the cyber threats out there, new ones emerge. Say hello to voice cloning. Or don’t say hello to it because you don’t want a scammer to have your voice.
Voice cloning made headlines recently when scammers called a frantic mom saying they had kidnapped her daughter and demanded $1 million in ransom. They “put her on the phone” and the mother was certain it was her daughter on the other end. It wasn’t her daughter, but it was her daughter’s voice.
The incident was described in a CNN report which illustrates the wider threat voice cloning poses: Sometimes, the caller reaches out to grandparents and says their grandchild has been in an accident and needs money. Fake kidnappers have used generic recordings of people screaming.
But federal officials warn such schemes are getting more sophisticated, and that some recent ones have one thing in common: cloned voices. The growth of cheap, accessible artificial intelligence (AI) programs has allowed con artists to clone voices and create snippets of dialogue that sound like their purported captives.
The next big threat – in reverse
This same type of voice cloning can be used to breach the perimeter of cyber defences. “This really is the next big thing – in reverse,” explains Jamie Johnson, a cybersecurity expert in Chicago. Johnson says that voice technology was going to add an extra layer of security to systems, but now that inexpensive AI is available, hackers can weaponize voice.
“Voice cloning is now so authentic, if your boss called you and asked for some passwords or access, would the average employee risk their job by refusing?” Johnson questions. The best cyber defences could succumb if someone unwittingly gives out a password to someone who sounds exactly like their supervisors.
Johnson also warns that because the threat from voice cloning is so new, many cybersecurity experts simply aren’t equipped to handle it.
The emerging technology is opening cybercrime to a whole new cohort of criminals that wouldn’t typically have operated in the space. “A criminal with few computer skills can now use AI to create malicious code, spread spam, or write phishing emails, this is already happening,” Johnson warns.
Johnson recommends a few best practices for MSPs and other security specialists:
Be aware of the threat. The first step is to be aware of the threat of voice cloning. Scammers are using this technology to impersonate people they know, such as your boss, your doctor, or your bank, to trick you into giving them money or sensitive information. “This is where user training goes a long way, a lot of people simply aren’t aware this threat exists,” Johnson explains.
Be suspicious of unexpected calls or emails. MSPs need to train clients that if someone receives a call or email from someone they don’t know, or from someone they know but who is asking for something unusual, to be suspicious and not give out any personal information or financial information unless they are sure of the person they are talking to. “If your boss never calls you, but suddenly, out of the blue, he or she calls and asks you for access or passwords or to transfer funds, red flags should go up,” he says.
Social Media Awareness: Employees need to be aware that when they place an audio clip of themselves sampling sushi or cheering on their favorite sports team, their voice can be cloned and used against them, Johnson warns. “It only takes a short, short snippet of audio for a cybercriminal to clone it, maybe 10 to 15 seconds.”
What Can You Do?
“MSPs are on the front lines of this emerging threat, so raising awareness is probably the top task,” Johnson says. Beyond awareness, here are some other tips Johnson offers to MSPs and businesses trying to get a handle on this new threat:
Use a secure phone system. A secure phone system will have features that make it more difficult for attackers to eavesdrop on calls or intercept data. “Or, better yet, don’t use the phone if you don’t have to, I don’t like to encourage people living and working in fear, but until we get a better handle on this threat, texting and emailing or work apps like Slack can eliminate the voice threat,” Johnson says.
Use a firewall. A firewall can help to block unauthorized access to networks and devices. “This is cybersecurity 101″
Educate employees about security best practices. Employees should be aware of the risks that voice cloning poses. “Unfortunately, voice cloning is here, and it is a real threat, so cybersecurity specialists will have to adapt accordingly,” Johnson advises.
An expert security company has issued a warning to users of Microsoft Outlook, hotmail and Google Gmail after reporting a massive 240% rise in email phishing scams. Cyber defence firm BlueVoyant has spoken about “dynamic phishing” and “smishing” scams due to their reputation for being difficult to identify.
BlueVoyant has listed typical warning signs in order to help people spot dodgy emails. One technique that scammers often use is multiple redirect paths after a user has clicked on an email link, making people think that, after landing on a legitimate website, it is a genuine website, but then being taken to a fake one.
In this technique, users who are presumed to be threat hunters or phishing analysts attempting to catch out the scam will be sent to an error page instead, while consumers will be sent to “spoofed domains.”
BlueVoyant’s report says: “These evasion mechanisms include User Agent (this detects what browser you are using) or IP restrictions and blocklisting, with significant emphasis placed on bot and crawler detection. The purpose of this type of redirection is to hide the phishing content on a single website by diverting anyone or anything that might be trying to detect the scam, i.e. a search engine, security software and companies.
“Dynamic DNS hosting providers are particularly popular among threat actors because they provide a convenient platform to easily set up and host multiple phishing pages without having to register a domain.
“BlueVoyant has been tracking phishing activity leveraging this infrastructure since 2021, and found that 67% of all phishing attacks were hosted on dynamic DNS infrastructure by the end of that year, demonstrating the infrastructure’s quick adoption and massive scale of use.”
Researchers from the company also say they’ve also observed a steady increase in SMS text phishing.
“To carry out a successful smishing attack, threat actors require an automated tool that can send SMS messages in bulk,” the report says.
“SMS gateway scripts are sold on the deep and dark web as all-inclusive solutions, which are rather easy to operate, and require very little technical knowledge.”
If you use LastPass as your password manager, I recommend reading this post in full.
If you know anyone who uses LastPass, forward this to them.
Even if you do know about the LastPass hack, I still recommend you read this, as there will be information here that you may not know about and risks you have not thought of
In case you are not aware LastPass got hacked Back In August 2022 and then AGAIN in November and all customer password vaults have been stolen. This is also not the first time they have been compromised either, it has happened before.
LastPass has been very sketchy about revealing what happened or revealing the seriousness of the hack and waited until December 22nd to put out a statement telling customers their vaults had been stolen, knowing full well that most users would have left for the Christmas holidays and probably wouldn’t read the email or be able to take action.
My advice is to move away from LastPass ASAP and change all your passwords.
How Serious Is This?
As long as you had a very strong master password on your LastPass account, security experts agree that hackers will not be able to crack it and decrypt your vault, which would potentially take thousands of years or more. If however, you had a weak or moderate master password, then you should probably consider it compromised.
However, the strength of your master password is not the only issue.
There have been numerous issues revealed about how LastPass encrypts data and enforces strong passwords, especially for users who signed up several years ago, when the requirements were much weaker, and LastPass has never prompted or enforced these users to change their weak master password. This means many users do still have weak master passwords that are easy to crack.
It was also discovered by security experts, that LastPass only encrypts the PASSWORD and NOTES fields in the vaults, everything else is in plain text and can be viewed by hackers right now, which is a serious problem. This means all the other data in your vault is compromised, so they know who you are, what company you work for, what websites you use, the usernames of those websites, and any other piece of data you stored in your vault.
If any of the websites/accounts you had stored in LastPass also had weak passwords, the chances of those also being hacked have now also increased.
You can also be sure the hackers will be selling your vault to anyone who wants it on the dark web, so it won’t just be the original hackers trying to get into your vault, it will also be every other hacker and cybercriminal they sell the data to.
The even bigger issue here is that LastPass has now been hacked several times, so obviously their security is not up to scratch, plus the way they have handled the situation is highly unprofessional and unethical. In an attempt to save their reputation and stop customers from leaving in droves, they have been intentionally sketchy with the truth and tried to mislead everyone about what happened, when it happened and how serious it was, meaning they simply cannot be trusted anymore.
Armed with the non-encrypted information from users’ vaults, it will be very easy for hackers to launch phishing attacks against users, with spoofed and fake emails, appearing to come from the sites they know you use, in an attempt to get you to reveal the passwords for those sites/accounts. So you need to be extra vigilant in checking that every email you receive is really from who it says it is from.
It is not likely that hackers will be going after the average user, there are millions of them, instead, they will be targeting the vaults of high-profile users, CEO’s, MSP’s etc, but this still doesn’t mean you are safe, see the indirect risk warning below.
Please also be aware note that the 2-factor authentication on your LastPass acocunt will not help here, since 2FA only protects the login process on the LastPass app or website. The hackers do not need to log into anything here, they just have an encrypted file that they need to decrypt. So they are simply trying to decrypt the password vaults, which are encrypted with your master password only, so no 2FA is involved.
If you used a password that is made up of information that could be easily gleaned by checking your social media posts and activity etc, such as family member names, date of birth, etc, then these are also easily hacked.
NEVER create passwords made from personal information about you or your family or hobbies etc. Always create random passwords or phrases made from random words. This is the point of using a password manager and why they do this for you.
How you Actually Get hacked
It is also important to consider how this can indirectly affect you.
Even if your vault does not get compromised, someone else or another company who you do business with (such as me for example), who also has access to any of your systems, websites, or accounts, could have their vault compromised, especially if they had a weak password (my passwords are strong BTW) which in turn compromises you.
It is also highly likely that some websites/businesses you use and trust will end up being hacked as a result of this, due to that company or someone who works there having their LastPass vault compromised.
So by changing all those passwords, you are also protecting yourself from this indirect compromise as well.
What you need to do
You need to get all your data out of LastPass, move to a new password manager, delete your LastPass vault, cancel your account, change all your important passwords and enable 2FA everywhere possible.
1. Change Your LastPass Master Password
Please note that this will not help with the copy of your vault that has been stolen, it will only change the password on your current vault, but if the criminals do manage to crack your master password, then you don’t want them then being able to login to your LastPass account and accessing your live vault as well before you have had a chance to delete it and close your account.
If you use LastPass as your 2FA authenticator to generate your One Time Passwords (these are the codes you use for 2-factor authentication), these cannot be exported as they are randomly generated every 60 seconds, what you will get in the export will just be junk.
So you will need to reset the 2FA on all those sites where you are using LastPass as the authenticator and set them up in another authenticator. You can either use whatever new Password Manager you move to or if you prefer to use your mobile device, then I recommend using Microsoft authenticator.
You will need to keep your LastPass account active while you do this since you will need to use it to generate your One Time Passwords to log in to those sites and reset 2FA to begin with.
I recommend importing the exported csv file to Excel, password-protect it, and then save as an .xslx file. now delete the original csv file and also empty your recycle bin.
This way you do not have all your passwords stored on your computer insecurely in plain text.
2 – Import your data into a new Password Manager
First, you need to pick a new password manager, the best solution will really depend on your requirements.
If you don’t need to share passwords with anyone else, don’t need any bells and whistles, and are happy to store everything on your mobile device, then you can use Microsoft authenticator, as this also has a built-in password manager.
The downside of this is that if you need to log into anything on your PC/laptop or any other device, you will need to manually type those long, randomly generated passwords.
I personally have moved to Bitwarden, which has a free plan for personal use and very reasonable pricing on all the other plans. However it’s not the most pretty or intuitive app, so may not be the right choice for the less computer illiterate among you, who may prefer one of the other apps above or something else.
All make it nice and easy to import your LastPass data and provide instructions in their knowledge base on how to do this.
And finally don’t forget to delete that exported file once you have finished with it, and also delete it from the recycle bin too.
TIP: It you press SHIFT while deleting a file, it doesn’t go to the recycle bin.
3. Reset all your 2-factor authentications
As mentioned above, you will need to reset the 2FA on all those sites where you are using LastPass as the authenticator and set them up in another authenticator.
If you don’t do this first, you will no longer be able to get into those sites once you delete LastPass as you won’t be able to generate a OTP, and will need to go through more hoops to reset 2FA and get access to those sites. So decide which option is preferable.
Anywhere that offers 2FA, make sure it’s enabled.
3. Delete your Lastpass account
Once you are sure that you have everything you need from Lastpass, and don’t need to access the OTP’s (One Time passwords) for 2-factor authentication for any of your sites, you can go ahead and close your LastPass account, which will delete your vault.
You could work on the basis that your vault will not be decrypted and that you are safe, especially if you had a very strong master password.
Or you may want to go and change all your passwords just in case, don’t forget the indirect compromise I mentioned earlier.
Anywhere where you have 2FA enabled is technically safe, as the password by itself will not let the hackers into that account, and you should get notification of any attempted access.
But you should certainly consider changing passwords on any important site or account where 2FA is not in place.
Such as: your email account (very important, very few email providers have 2FA), hosting account, online banking, social media accounts, website admin, amazon account, and other online stores and anywhere that has your banking or card details stored and could be used to make purchases.
Remember, any website/account that gets hacked, even seemingly insignificant websites, may contain information about you that will then help the criminals/hackers gain access to other accounts of yours, such as your answers to security questions, which are likely going to be the same on every website you use. Armed with this information, they can then pretend to be you, claiming they have lost their login details, and use the security questions/answers to reset passwords and gain access.
If any 3rd parties also have their own separate logins to anything of yours, such as your email, website, banking, amazon etc, send this information to them, and if they use LastPass, they should also change their passwords too.
5. Be vigilant
As mentioned above, armed with the non-encrypted information from users’ vaults, hackers, cybercriminals, and scammers all around the world will be launching phishing attacks against users, with spoofed and fake emails, appearing to come from the sites they know you use, in an attempt to get you to reveal the passwords for those sites/accounts.
These emails will likely come in the form of warnings about your account being compromised or about this very LastPass hack, telling you to reset your password, and sending you to a fake website.
Since there will also be legitimate emails from those same websites telling you the same thing, you need to check who the email really came from (check the from address) and verify that links in any emails go to the real website (look at the domain name).
The best suggestion is simply to avoid clicking links in such emails, and instead, just go to the website manually by typing the URL, then you know you have gone to the real website.
Also be wary of unusual emails/messages from friends, family, colleagues, staff, and even your boss, as the person sending the messages may be a criminal or scammer who has compromised their email, social media account, etc. If in doubt, always pick up the phone and call that person to make sure it’s actually them you are talking to.
If you have a paypal account, then literally anyone with an email address can request money from you. That’s the double-edged sword with PayPal – it’s simple to set up and use for legitimate purposes, but fraudsters can take advantage of that ease of use to perpetrate scams on the unsuspecting public.
The PayPal Money Request scam has been around for a long time, but occasionally the scammers will often revert to using old tricks, so consider this a friendly reminder, this one has made a comeback.
Here’s how it works: You receive an email from Paypal with the subject “You’ve got a money request.”, but if it is not a spoof email and really does originate from PayPal (obviously don’t click on any links within the email), the next time you log into your PayPal account you’ll see the pending money request in your account activity page.
Once you’re logged into your account, the Transaction Detail page for the money request will give you two options – Send Payment | Cancel.
Obviously, you will want to cancel the transaction, and you’ll want to do it sooner than later, as the money request can blend in with other PayPal transactions if you’re using it frequently, and you wouldn’t want to accidentally pay it.
Someone wrote about this scam in 2009 about a $5 request. Comments in 2010 said they were getting $10 requests. The screenshot above as you can see is for £499 – chalk it up to inflation.
This type of scam is really a numbers game. Fraudsters are hoping these requests are received by people who are either naive or more likely, busy online merchants who make dozens or sometimes hundreds of PayPal transactions daily and may unintentionally authorize the payment before realizing it wasn’t attached to a legitimate transaction.
It doesn’t take a high percentage of success to make this venture profitable for a scammer. And it wouldn’t be pervasive if there wasn’t some level of success. So remain vigilant.
Just weeks after the Google Business Profile suspension nightmare, it seems Google learned nothing from all the problems they caused for businesses around the world and did it again. This time, they released a bug that caused hundreds of thousands of legitimate Google reviews to get removed from Google business profiles.
So what happened this time?
Mike Blumenthal broke the news of the possible bug over the weekend, after observing several posts on the Google Business Profile Community Help Forum.
Update: The saga continues
Found more cases of lost Google GPB reviews:
‘They had shortened the business name…& changed my website information to a different link that also went to my website. I realized all 105 of the reviews had VANISHED!’https://t.co/ClRqEpUOwp
It appears that Google has pushed changes live to Google Business Profiles following a Suggested Edits update, but with further investigation, Mike found that it was also changing the CID numbers of profiles each time—essentially creating a ‘new’ listing in Google’s eyes, dissociating existing reviews and then removing them altogether. As he highlights here, the two updates are rarely carried out at the same time, pointing to the high probability of a new bug.
What’s a CID? The Ludocid, sometimes referred to as the ‘CID’, is a unique ID that Google assigns to a specific business location in order to identify it within its systems.
Why is this so scary? Well, as a business owner or manager, you’ll know the importance of local business reviews for boosting your presence and general credibility. For those who actively engage customers in review campaigns, this will come as an incredible kicker if you are affected, meaning you could lose out on hard-earned reviews.
What you can do if you’re affected
You should be able to reinstate your business information fairly simply by clicking the ‘Actions’ button and rejecting any incorrect edits, but we’d recommend first taking note of everything that has changed in order to make your case to Google.
As for the CID number and review removals, you’ll need to provide your old and new CID numbers and highlight what has happened within a GBP Support Form, asking Google to reinstate your lost reviews.
Safety-proofing your business reviews
We don’t know for sure just how permanent the effects of this bug will be and, while it may be a temporary blip, it does highlight the importance of keeping track of any changes to your Google Business Profile. Here are some tips to ensure you’re prepped:
Keep a record of all your business reviews, including the name of the reviewer and its content. You could do this by setting up a specific folder in your email and ensuring you receive and keep every email notification for each new review your business receives.
You could also use a reviews plugin for your website that downloads and syncs all your reviews from the various review sites (google, facebook, yelp etc) to your website, thus maintaining a separate copy.
Top Tip: If you need to keep tabs on a vast amount of reviews, then the Reputation Manager in my Local SEO tools does it all for you in one place, storing review content and dates within the platform. Plus, you can export a CSV of your reviews to keep records handy.
Make sure you connect your GBP to Reputation Manager to automatically fetch new Google reviews daily. You can schedule this on a weekly or monthly basis if your GBP is not connected, but this way you won’t spot any instances where very new reviews may have been deleted.
Ensure you know and store your Google CID number in case of any changes like this. If you don’t know how to find your CID number, you can use our free Google Review Link & Place ID Generator to look up your business.
Keep track of any changes made via Suggested Edits in order to spot any inaccurate information and keep your business listing up to date.
Recent Comments