[techknight]

This also happened to me back on Nov 10, 2021. I had an old LastPass account, wasn't using it, when all of a sudden i get an email:

-- Login attempt blocked Hello,

Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look. ---

Like you, it told me that the attempt came from Brazil, using an IP address starting with 160. I have no idea how they would've gotten that password. Made me wonder if LastPass had some issue, but nothing was in haveibeenpwned

[gregsadetsky]

What, really??

This is too crazy of a coincidence to be a coincidence.

This is exactly what's happening to me, and same IP prefix.

What does it mean?

---

How old of account was this? Can you contact me by email (email in my profile)?

---

Two theories:

- there is a problem with LastPass

- you and I both had the same Chrome extension installed that was actually compromised, and that extension was listening to/sending passwords typed into lastpass.com

I last used this account/master password back in 2017. Is that similar-ish to when you used your account?

[dogman123]

posting another comment here too for visibility, but this _just_ happened to me as well....

Time Monday, December 27, 2021 at 1:41 PM EST Location São Paulo, SP 01323, BRAZIL IP address 160.116.88.235

[ajb]

Not sure it's really in Brazil.

LACNIC says the IP range was transferred to AFRINIC. They then say that it is owned by:

Affiliated Computing Services (Pty) Ltd descr: P. O. Box 261333 descr: Excom 2023 country: ZA

But then further note that ownership is in dispute! We need someone to look it up in the current routing tables to see where it's presently being routed to.

[gregsadetsky]

I also saw that very weird thing -- Brazil vs AFRINIC.

Help/insight from ASN? BGP? networking experts would be appreciated..! Thanks a lot

[ajb]

Far from an expert,but https://www.dan.me.uk/bgplookup lists it as owned by AS202769, which is apparently "Cooperative Investments LLC" Scamalytics[1] states that much of their address space is VPNs, so the trail may go cold here.

[1] https://scamalytics.com/ip/isp/cooperative-investments-llc

[Godel_unicode]

That IP is present in a cn record for visit[.]keznews[.]com, whose whois record lists an admin contact in CZ.

Be very wary of geo-ip results, on the modern internet they are effectively useless.

[colejohnson66]

Ignoring VPNs, why are they useless?

[JaimeThompson]

Perhaps this will help? https://bgpview.io/ip/160.116.88.235

[sillysaurusx]

Hmm. So I don't know if this means anything, but I was googling for the IP address and wound up at https://ipinfo.io/160.116.88.235 which says hostname: visit.keznews.com. When you go to that hostname, it's one of the best phishing sites I've ever seen. They dynamically inserted my ISP's logo (Spectrum) and tried to do a phishing attempt:

https://i.imgur.com/C9HQw1c.png

The full non-clickable URL:

  https://us.poonstate.click/us/i/spectrum/?track=u.pslnk.link&key=eyJ0aW1lc3RhbXAiOiIxNjQwNjM4NTIyIiwiaGFzaCI6IjNiZjRkYTg5MTA5MzMzNmU5NjRmMjZiNDY1NWUyN2UwMjk3NzI0OTYifQ%3D%3D&tsid=7ae4766b-0de5-4865-9f1b-025a45c71c3f&bemobdata=c%3D314f53db-f844-46ea-99f8-f277456639d3..l%3Df57d9a37-1c67-4958-ac52-6f4854ce6840..a%3D2..b%3D1..z%3D0.0016..e%3Dzr4b7f4393675711ecb78f122b3efc6f65f31163358f914cea90c49d2c8cc35b7b0612682b8c773fbcf1..c1%3Dwhiskey-oar-eAcMKVvZ..c2%3Dgriseous-trout..c4%3DDOMAIN..c6%3DNON-ADULT..c8%3D1655308..c9%3Dfbb8c5b0-5140-11ec-a217-0aea8b85a94f..c10%3D0#

I went through and answered the "questions", and it tried to take me to the actual phishing site:

https://i.imgur.com/wYt5WB3.png

https://i.imgur.com/Picaw4a.png

Screenshots of the actual phishing site

https://i.imgur.com/Bh5c2lZ.png

https://i.imgur.com/q7xnSki.png

https://i.imgur.com/GX4hWnQ.png

And its url (non-clickable):

  https://welcome.myonlineeconomy.com/us/238700/25/?pubid=aff-us&pob=3&click_id=61ca28bcf92ca000011aa4c0&subid=RT-60338e1b79fcbe00012195a3-168&utm_medium=mail&utm_term=ipadpro&terms=y&email=&fname=&lname=&fp=&address=&city=&zip=&state=&lpkeyua=a17666fa4eadface9331c0311b1e8875.1640638952

Now, the interesting part is that this phishing attempt only happened once. When I tried to visit again just now, it just says "something went wrong" (on the first site) and "Access denied" (on the second site).

I saved the sites to disk as I went, but I doubt these dumps will tell you much. Just in case though:

1. https://gist.github.com/shawwn/4deace812e7c752949a0df096ef66...

2. https://gist.github.com/shawwn/721f235e760dd2257cd760edb1188...

Long story short: It sounds like all of you got phished. I suspect you installed a malicious app that somehow targeted your web browser's LastPass extension, modifying it to send your master password to these fine people. ¯\_(ツ)_/¯

[gregsadetsky]

Hey,

That's quite possible, for sure. I am not beyond/above/below being phished like anyone else, ha!

The issue -- what makes it perplexing -- is that I haven't used this LastPass password since 2017. I know because this LastPass account was only used to share passwords within an org that I left back then.

Is it possible that I was phished 4 years ago, and they sat on the password? Sure.

But 2 other people in this thread being phished from the same exact same phishing server/group?

Or we were separately phished using different techniques, and now one Brazil server attempted to use all of our logins?

That's what's rather strange.

[trevcanhuman]

Hey guys I think that maybe this has to do with an exploit in the web browser LastPass extension about 5 years ago: HN POST: [0].

[0] https://news.ycombinator.com/item?id=12171547

[gregsadetsky]

Yeah, that's not impossible. Surprising that they sat on the passwords for so long, but this is quite possible. Thanks for the reference/link!

[wutwutwutwut]

Couldn't it just be that someone got a copy of the password some years ago and now sold the list of credentials to someone else, who then tried to use it? Maybe the original owner of the list didn't realize some of the credentials was for LastPass, for example.

I'm still seeing hackers trying to log on using passwords I haven't used in ~10 years, because it's on a list somewhere.

[gregsadetsky]

I agree, that could make sense.

So LastPass (their extension) may have been hacked ~5 years ago ish, a few people here on the thread were all hacked in the same way, our passwords were sold off, and now the same Brazil IP range just tried all of those passwords.

[sillysaurusx]

This seems likely.

[trevcanhuman]

I feel like this sounds more like a zero-day exploit being used to target the LastPass login servers.

[Fnoord]

Great post, seriously.

How many extensions are you using again? :-)

[sillysaurusx]

Hmm. Tabist, Twitch Now, EditThisCookie, TooManyTabs, ublock, adblock, tampermonkey, disable Reddit CSS, FreshStart, Notion, Netflix auto-skip, gist from website, Auto Kill Sticky... and a couple I don’t recognize. I’ll post a full list when I’m back at a laptop.

“Too many” :)

[eksployted]

The only ones I have that match up there are EditThisCookie and ublock (origin)

EditThisCookie was last updated November 22, 2020, so it doesn't seem likely from that.

ublock origin was updated December 2, 2021, but they haven't changed devs or anything that would make me suspicious.

[55555]

That’s not a phishing site. That’s standard zero-click /smartlink monetization. It’s a lot to explain and I’m on mobile but it isn’t anything to do with phishing.

[sillysaurusx]

But, it certainly wasn't from Spectrum (my ISP), but they designed the page to make it look like it was.

I agree that it could be totally unrelated to the root mystery though. But "everyone here fell for malware or got phished" seems like the most likely explanation, even if my answer happens to be otherwise incorrect.

[aNopBxEjtX]

the site is an advertising redirect and these same attackers (or at least users of the same IP ranges) use leaked credentials to login to Microsoft/Outlook accounts using SMTP

[tim333]

I just tried logging into my LassPass (not used for a while) and I entered the password wrongly (I capitalised one letter) and got an email "Someone just used your master password to try to log in to your account from a device or location we didn't recognize."

Maybe it says someone used your master password even if they didn't? It gave the IP as Islington which is kind of correct.

[gregsadetsky]

I think that password case is a separate issue. If I remember correctly, many online services do "secretly" accept mixed cases for the same password (because users make more mistakes than they realize and it would be "annoying" to be too strict)

If you didn't receive a "Someone just used" email (with an IP that's completely geographically off from where you are) that's a good sign, of course.

[zdragnar]

I tried pushing back on just such a request once, pointing out it made of of the password "security" requirements pointless (use mixed case letters).

"But famous company X does this, it is really convenient for users!" was all the response I got. All I could do at the time was (internally) shake my head.

[johtso]

Oh! If the messaging is the same regardless of whether the right password is used then that changes everything!

[gregsadetsky]

When a wrong password is used, no email is sent out from my multiple experiments today.

I'm happy to be proven wrong, but I think that what's happening with @tim333 is that master passwords may be all lower cased (for example) before being hashed. Or maybe the password is hashed twice with the first letter upper and lower cased.

Here's what I found from a quick google re: password case:

https://www.zdnet.com/article/facebook-passwords-are-not-cas...

https://security.stackexchange.com/questions/68013/facebook-...

"This is simply Facebook trying to provide a better user experience for those users who may have Caps Lock enabled, or whose devices automatically capitalize the first letter of the password."

[eksployted]

I don't think that's the case. I went back and looked at the auth logs and there are many "failed logins" and one "Login verification email sent", which is the only one I got an email for.

[dharmatva]

I am having the same issue!!! One of my important passwords was leaked and in free use by a bunch of people who were all accessing my evernote account (thankfully it had nothing important in it). I've been on a spree to change my passwords since then.

I have been wondering - is this because of the following lastpass bug?

https://www.zdnet.com/article/lastpass-bug-leaks-credentials...