[techknight]

LastPass was my first thought, but I couldn't find anyone else having the same issue and decided it couldn't possibly be them. Now I'm not sure!

I've emailed you a list of the extensions I use in Chrome - if you want to share publicly any that we have in common I'm okay with that

[gregsadetsky]

Hey, thanks -- just replied to your email.

Since I haven't used this LastPass master password since 2017, I'd have to remember which extensions I had back then, which is hard to do...

I may have had 1Password and Adblock Plus which you had/have too.

But it's hard to say. It's a possible vector (that you, dogman123 and I had the same compromised extensions) but also... why would the hackers have sat on our master passwords for nearly 4 years (in my case)?

[sillysaurusx]

One other breadcrumb: https://news.ycombinator.com/item?id=29706957

It's looking like you got phished a long time ago, or installed malware which targeted the lastpass extension.

Did all of you use the same OS four years ago? (Windows perhaps?) Some malware targets Chrome/Firefox files on disk. A malicious extension probably wouldn't be able to affect your LastPass extension, but a malicious malware app could easily modify it.

[gregsadetsky]

Yeah, all of us being phished years ago is a possibility (I just replied to your other comment)

I used macOS/Chrome back in 2017. I definitely could have been phished then, or used a compromised extension.

[AdmiralAsshat]

How'd they get past the 2FA, though?

Or does LP shoot an email if it detects a suspicious geo-IP login before the 2FA prompt?

[gregsadetsky]

LP shoots an email as soon as someone attempts to login with the correct password from a new IP.

Once the IP is approved (you have to follow a link from the email), then you login again with the correct password and then get the 2FA prompt.