|
|
|
|
|
|
by leftpass
1639 days ago
|
|
|
An extra consideration is that LastPass claim to be monitoring their systems constantly, specifically call out automated attempts ("fairly common bot-related activity"), so we can assume that monitoring includes "attempts to login with wrong passwords" or "attempts to login to accounts that do not exist". That information would be a good way to identify a credential-stuffing attack with confidence, i.e: they might be seeing millions of login attempts to accounts that don't exist + accounts that do with the wrong password... If that is the case, then the email must be sent in error... which is definitely plausible, i.e: they have a logic mistake somewhere in their system which is incorrectly identifying some unsuccessful attempts as successful (which is triggering an event which triggers the email, the audit log entry etc). Hopefully they make a better statement soon, because this is very terrible communication from a password management company. |
|
|
The events are "failed login" and "Login verification email sent". The second one is what triggered the email and this event seems like it should only happen if you correctly login but their additional checks stop it from authenticating completely. The email has a button for "verify new device or location", which sure makes it seem like the login was successful.
I hope they just mangled up their event logger and it really should have been a failed login attempt but was logged as a valid login and triggered the email.