[gregsadetsky]

Very interesting theory!

What's a bit surprising is how "low effort" the rest of the attack was: presumably if they found this flaw to bypass passwords, they then attempted to login (which caused an email to be sent out), but LastPass stopped them because they (i.e. the folks on the Brazil IP range) were logging in from a new IP.

So this would be a case of one protective layer (the new IP detection) compensating for a vulnerability in the other one (the password protection).

That would be "re-assuring" in a certain way (as the passwords themselves did not leak -- presumably!).

Thanks

[leftpass]

Another possibility is that one of their (many) previous security incidents led to the leaking / exposure of master password hashes, and maybe LastPass don't treat the password hashes as they should (as a password!) and didn't take steps to ensure that any compromise hashes couldn't be re-used. So, potentially, your master password is safe, but there's a hash of it floating around.

Personally, I've long recommended people stay well clear of LastPass for their bad record of security, so shipping a bug in password-hash verification, or treating password hashes haphazardly would not surprise me in the slightest.

[gregsadetsky]

Again, really great point re: our passwords hashes floating around, rather than the passwords themselves.

I wonder if haveibeenpwned.com would somehow have information about this. I just pinged them on twitter.