[gregsadetsky]

Hey,

That's quite possible, for sure. I am not beyond/above/below being phished like anyone else, ha!

The issue -- what makes it perplexing -- is that I haven't used this LastPass password since 2017. I know because this LastPass account was only used to share passwords within an org that I left back then.

Is it possible that I was phished 4 years ago, and they sat on the password? Sure.

But 2 other people in this thread being phished from the same exact same phishing server/group?

Or we were separately phished using different techniques, and now one Brazil server attempted to use all of our logins?

That's what's rather strange.

[trevcanhuman]

Hey guys I think that maybe this has to do with an exploit in the web browser LastPass extension about 5 years ago: HN POST: [0].

[0] https://news.ycombinator.com/item?id=12171547

[gregsadetsky]

Yeah, that's not impossible. Surprising that they sat on the passwords for so long, but this is quite possible. Thanks for the reference/link!

[Nexxxeh]

You don't necessarily know they sat on it. You only just got a notification of the failed login now.

That doesn't mean they didn't try stuffing it elsewhere previously, or have login attempts you weren't notified of.

Nor do you know if the entity responsible for the failed login is the one who originally captured the credentials.

If you'll forgive the wild speculation, your credentials could have been sold recently and the new owners are less picky about alerting victims to the breach.

It could be that a bunch of credentials were captured for a specific purpose. Perhaps it was a targetted attack aiming for a specific victim, you and others here were collateral damage, and now the attacker is selling the assets.

[gregsadetsky]

Yeah, totally agreed and all great points.

I also generally am more suspicious of the idea that they sat on the credentials for years. Although that is not impossible.

One disproving fact (of sitting on the password for years) is that a few people here in this thread confirm having a login attempt from the exact same ip range, but with an account that was created this year -- in one case, in November 2021:

https://news.ycombinator.com/item?id=29710262

So... it might turn out to be a much more recent vulnerability after all.

[wutwutwutwut]

Couldn't it just be that someone got a copy of the password some years ago and now sold the list of credentials to someone else, who then tried to use it? Maybe the original owner of the list didn't realize some of the credentials was for LastPass, for example.

I'm still seeing hackers trying to log on using passwords I haven't used in ~10 years, because it's on a list somewhere.

[gregsadetsky]

I agree, that could make sense.

So LastPass (their extension) may have been hacked ~5 years ago ish, a few people here on the thread were all hacked in the same way, our passwords were sold off, and now the same Brazil IP range just tried all of those passwords.

[kreetx]

Perhaps you can ask the other victims when did they register their accounts to see if that's true?

[gregsadetsky]

I've been trying to ask this to people posting reports, and although there are many "older" accounts (like mine, circa 2017 or older), at least 2 reports are from accounts created this year:

https://news.ycombinator.com/item?id=29710262

https://news.ycombinator.com/item?id=29711950

That would make "more sense" that our credentials weren't stored and unused for years, i.e. that this is possibly a new, recent breach.

[sillysaurusx]

This seems likely.

[trevcanhuman]

I feel like this sounds more like a zero-day exploit being used to target the LastPass login servers.