Mine was from India, master password definetly unique and very strong. I'm still hoping for some bug that mass alerted every day login attempts instead of actually gaining access.

I'm hoping for an email bug / false positive too.

Also, incorrect login attempts (i.e. using the wrong password) does not send out an email.

If you do attempt to login with the correct master password from a different/new IP, then you'll get the "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email.

Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!

Can you guys list out the browser extensions you are using and/or if you're using LP on mobile?

We need to find a common thread.

WHAT!! Same IP range for me.

How is this possible????

Is the date / time exactly the same? It seems like they might have emailed _everyone_ at this point. Maybe it's just a bug.

I have a LastPass account (also not used for some time) and have not received this email.

not sure, but this seems pretty bad! fwiw, i haven't used lastpass in at least a year. i've been using 1password.

How old approximately was your account? I used my master password the last time in 2017... were our master passwords compromised back then... and someone held on to them for that long? That seems improbable?

just checked my email. last pass account was created in 2015, not sure if the current leaked password has been in use that whole time, but it has definitely been quite a few years. moved over to 1passward in march of this year and likely have not used last pass at all since.

That's really so strange.

What is the probability that you, techknight (the other user in this thread) and me used the exact same compromised software back in ~2017 and had our master passwords stolen then? And for that person/bot (in Brazil) to try all of those master passwords now?

It's beginning to look like this is a LastPass issue, no..?

LastPass was my first thought, but I couldn't find anyone else having the same issue and decided it couldn't possibly be them. Now I'm not sure!

I've emailed you a list of the extensions I use in Chrome - if you want to share publicly any that we have in common I'm okay with that

Hey, thanks -- just replied to your email.

Since I haven't used this LastPass master password since 2017, I'd have to remember which extensions I had back then, which is hard to do...

I may have had 1Password and Adblock Plus which you had/have too.

But it's hard to say. It's a possible vector (that you, dogman123 and I had the same compromised extensions) but also... why would the hackers have sat on our master passwords for nearly 4 years (in my case)?

One other breadcrumb: https://news.ycombinator.com/item?id=29706957

It's looking like you got phished a long time ago, or installed malware which targeted the lastpass extension.

Did all of you use the same OS four years ago? (Windows perhaps?) Some malware targets Chrome/Firefox files on disk. A malicious extension probably wouldn't be able to affect your LastPass extension, but a malicious malware app could easily modify it.

Yeah, all of us being phished years ago is a possibility (I just replied to your other comment)

I used macOS/Chrome back in 2017. I definitely could have been phished then, or used a compromised extension.

How'd they get past the 2FA, though?

Or does LP shoot an email if it detects a suspicious geo-IP login before the 2FA prompt?

LP shoots an email as soon as someone attempts to login with the correct password from a new IP.

Once the IP is approved (you have to follow a link from the email), then you login again with the correct password and then get the 2FA prompt.

it certainly does look like a lastpass issue....

What prompted the move to 1password? Curious as I am deciding myself which service to use.

Not OP commenter but I personally would recommend using pass (https://passwordstore.org), I’m a little paranoid about all this fuzz, plus did you see the news in HN a few months ago about a password manager web browser extension having an exploitable vulnerability? Not sure if it was lastpass but I’ll try to search for it…

Edit: I found an old post from about 5 years ago on a vulnerability in LastPass’s extension [0]

[0] https://news.ycombinator.com/item?id=12171547

I was so pissed at LastPass when the Firefox extension stopped working when Firefox Quantum was released, they didn't have an ETA for fixing it, their support is completely crap. I gave up no LastPass with 9 months left on my subscription and moved to 1Password. Also, LastPass UX is still awful to this day (I have to use it for work). Migrating from LastPass to 1Password was like migrating from Linux to Mac. It's more expensive, but it's sooooo much better and polished.

What browser extensions do you have installed?

I don't remember which extensions I had in 2017, unfortunately...

got one at 1528EST from 23[.]236[.]213[.]5 - OSINT shows it part of BLAZING_SEO_PROXY

pw was only ever used here and stored offline

That's a different IP range, but the fact that it's all happening at once (i.e. these unique, never used elsewhere LastPass master passwords being used to login) is rather strange..?

Or I am drawing a random line through a cloud of dots..? :-)

What other IPs are part of BLAZING_SEO_PROXY?

Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!

That IP is not from Brazil. It revert-resolves to keznews.com (Looks like it's registered in Prague)

If you try hitting it, it will redirect you to some website which might or might not be the same to every person

Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!

I feel this is like a Reddit detective moment. Almost everyone here is going to have uBlock Origin installed.

Yeah I agree. And a few users who were compromised confirmed not having uBlock. So yeah. False trail.

Are we sure that same email isn't sent out if someone tries to log into your account with the wrong password?

No email is sent when an attempt was made to login with the wrong password.

Logging in with the wrong password is logged in the Account History as "Failed Login Attempt"

Logging in with the correct password (or hash? TBD) from a new IP triggers the email and that's logged in the Account History as "Login Verification Email Sent"