Master passwords are static passwords by definition. It could have been an old fashioned keylogger for example. It could also be a phishing email attempt.
Disclaimer: I worked on the 2FA part of the saas pass password manager which never has a master password and always uses passwordless MFA like scanning an encrypted barcode for unlocking the browser extension.
Disclaimer: I worked on the 2FA part of the saas pass password manager which never has a master password and always uses passwordless MFA like scanning an encrypted barcode for unlocking the browser extension.