[kevinslashslash]

I'm one of the people that replied yesterday.

I haven't used LastPass since, at the latest, 2017. I had actually deleted all my passwords from my LastPass vault, but originally kept the account because of LastPass's password sharing feature, though I stopped using that as well. I believe I had the LastPass extension installed on both Chrome and Firefox, on both Mac and Ubuntu. I primarily used Chrome on Mac. I did have uBlock Origin on those setups as well, but I really doubt that's the vector, it's likely just incredibly popular with all users of Hacker News. My LastPass password was globally unique and between 15 and 20 characters long (with some symbols and digits). This password shows no matches at https://haveibeenpwned.com/Passwords . I considered sharing the password here, but just in case an old version of my vault is out there somewhere somehow I'm not going to. My understanding is that such a password would be so incredibly impractical to brute force that it's not worth considering. Unless I'm outdated/wrong on that, that means the password leaked in clear text (or hashed with a broken hashing method). As I haven't typed that password since at least 2017 and I can't imagine LastPass is storing passwords in clear text, I'm inclined to believe the password was stolen in clear text from client machines (either LastPass extension exploit or malware) in or before 2017. It's weird they were not used earlier, but as LastPass doesn't allow new IPs by default, maybe the attackers knew this and were sitting hoping an additional exploit would allow their user. But now they're just trying in the off chance someone clicks the "That's me" link in the email. This doesn't explain the more recent claims, personally I'm inclined to disregard them as unrelated noise (user confusion, reused password, etc).

[theunquietone]

Almost identical case except I think I last used my account in 2018. No matches in haveibeenpwned. Password not saved anywhere (written only) and hasn't been typed in years.

[irrational]

I’m a LastPass user. I change my master password every 6 months. I received the attempted login from Asia email also. So… it isn’t just some exploit from 2017.

[gregsadetsky]

Thanks -- my own case is pretty much identical to yours. My LastPass account was from 2017, and haven't used it since. I can also suspect a LastPass extension exploit from 2017 i.e. that's maybe how my password was stolen.

(I actually found an email from LastPass dating back to 2017 where they were confirming that a vulnerability with their extension had been fixed. The subject of that email is "Security Update for LastPass Extensions" and it dates back to March 31st, 2017)

I also agree with you that the attackers may have been hoping this time that some people would click the email link by mistake.

What's most baffling to me are the 3 independent reports of people changing their passwords, and getting the "Someone just used your master password" emails again i.e. the same attackers that attacked you and me somehow also having access to these new passwords. That can be explained in some ways (those 3 people are currently infected with the same malware) but that explanation seems, to me, very unsatisfying.