Yeah, what doesn't make sense is that the emails we all received says:
"Someone just used your master password to try to log in to your account from a device or location we didn't recognize"
so either:
- the email was sent incorrectly i.e. our master passwords were /not/ used to login. In that case, why was the email sent?
- the email is correct i.e. someone does indeed have access to our master password (it was confirmed to me by one of the support agents -- that email is supposed to be sent out when the password is correct but used from a new IP) -- in that case, how is it possible that >20 people here were compromised?
In addition:
- many people here report never using their master password anywhere else
- and... not all accounts were old i.e. from 2017. A few accounts were from October/November 2021:
An extra consideration is that LastPass claim to be monitoring their systems constantly, specifically call out automated attempts ("fairly common bot-related activity"), so we can assume that monitoring includes "attempts to login with wrong passwords" or "attempts to login to accounts that do not exist". That information would be a good way to identify a credential-stuffing attack with confidence, i.e: they might be seeing millions of login attempts to accounts that don't exist + accounts that do with the wrong password...
If that is the case, then the email must be sent in error... which is definitely plausible, i.e: they have a logic mistake somewhere in their system which is incorrectly identifying some unsuccessful attempts as successful (which is triggering an event which triggers the email, the audit log entry etc).
Hopefully they make a better statement soon, because this is very terrible communication from a password management company.
That's possible, but the audit log shows the event that triggered the email and failed logins as two separate things.
The events are "failed login" and "Login verification email sent". The second one is what triggered the email and this event seems like it should only happen if you correctly login but their additional checks stop it from authenticating completely. The email has a button for "verify new device or location", which sure makes it seem like the login was successful.
I hope they just mangled up their event logger and it really should have been a failed login attempt but was logged as a valid login and triggered the email.
There have been several major breaches of security in recent months, such as the log4j vulnerability, that could have allowed malware to end up being spread to quite a few people. If your computer has been compromised, KeyPass files are among the list of items malware will attempt to send back. There are also secondary attacks which might have resulted in capturing their master passwords without needing to steal a KeyPass or similar file (such as key loggers). Given the scope of recent breaches it seems likely to me that there should be a sudden cluster of users whose passwords were individually compromised.
It does make sense if you consider that there can be more than 1 vulnerability and that some attacker targeting LastPass may use recent password from a fresh vulnerability mixed with older passwords from some previous breach.
I'm not actually following what does not make sense.
What's confusing to me is that my password was never used elsewhere (it was generated only to be used with LastPass and stored in KeePass). Other reports here say that their passwords were unique as well.
I just have a doubt right now about the possibiliy that this attack was using passwords from past breaches (which is what LastPass is saying)
There are several recent vulnerabilities which could have resulted in your computer being infected with malware without you knowing (like the log4j vulnerability). Because you're storing your passwords in a KeePass vault this actually increases the platform size for attack. This could have taken the form of several fairly simple attacks, such as key logging, clipboard (copy & paste) sniffing and quite a few other methods of stealing your master password purely because you've stored it somewhere other than your brain. Given the number of reported events in recent days, this looks more like individual compromisation events (malware/viruses locally on each affected users computer) than a single large breach.
It's also entirely possible this is all is due to an entirely new vulnerability which hackers have uncovevered which the security community has not recognized yet. This is less likely, but whether it is the case or not doesn't change the fact this likes like a higher than average incident rate for indivual compromises, rather than a larger single event.
But when they are talking about breaches they aren't just referring to other web sites being hacked. In theory, your computer may have been compromised some time during the last years.
It was just weeks ago some very popular package on NPM was found to collect credentials.
Again, not saying that's what happened but theoretically your computer was breached with some malware which collected credentials. I just meant it "makes sense" from a technical point of view. The likelyhood of this being the issue I am more unsure about.
"Someone just used your master password to try to log in to your account from a device or location we didn't recognize"
so either:
- the email was sent incorrectly i.e. our master passwords were /not/ used to login. In that case, why was the email sent?
- the email is correct i.e. someone does indeed have access to our master password (it was confirmed to me by one of the support agents -- that email is supposed to be sent out when the password is correct but used from a new IP) -- in that case, how is it possible that >20 people here were compromised?
In addition:
- many people here report never using their master password anywhere else
- and... not all accounts were old i.e. from 2017. A few accounts were from October/November 2021:
https://news.ycombinator.com/item?id=29711950
https://news.ycombinator.com/item?id=29710262