Considering the many reports in https://news.ycombinator.com/item?id=29705957 of login attempts using the master password it seems like the full story has yet to be told. Saying that they "were likely triggered in error" does not say much to me, and the inclusion of the word "likely" sounds like they themselves don't know what triggered it.
> We recently received reports of an uptick of users receiving blocked access emails.
This is abrogating responsibility for what happened. A better sentence would be: "We recently started receiving reports of users receiving blocked access emails in error."
> Our investigation found that some of these security alerts, which were sent to a limited subset of LastPass users
"Some of these" "limited subset", you're trying to minimize the issue and not sounding like you really understand what went wrong! Stop.
Better: "Our investigation found that these security alerts, which were sent to 7% of users, "
> were likely triggered in error.
LIKELY, LIKELY??
Do I need to explain that "likely triggered in error" could just as easily be translated as "we don't know what's going on but we sure hope nothing bad happened"
Better: "We identified that in edge cases where two users had usernames where one was a fully contained subset of another (e.g. bob fits inside johnbobpierson) we would inadvertently send account alerts to both users when the user bob had a failed login attempt to their account."
> As a result, we have adjusted our security alert systems and this issue has since been resolved.
"adjusted our security alert systems" seriously just makes this all sound like "we were sending alerts when someone tried to login to your account more than 5 times per hour, we raised it to 50 times per hour so yall would shut up"
Better: "We corrected the identified bug and have checked our code base to ensure that the same error pattern is not repeated anywhere else in the code. We fired the the security firm doing code audits and the CEO is looking for a pen to sign a contract with a new one"
Ok I got a bit tongue in cheek in the end, but, seriously this statement does not make me feel like they are "taking it seriously" and a post from a password manager which you are trusting with your life with must scream that at you.
The original response was essentially blaming affected users, saying it was credential stuffing. Now they changed their story. If there is any credibility to the credential stuffing story, they should ask all users that received the email change password, not just say change it out of an abundance of caution.
Obviously something changed as the emails just started going out recently. Maybe it was a recent code change introducing a bug on their end, that's fine software has bugs, but they could explain it. Maybe attackers are doing something different, which is triggering an old bug causing incorrect emails. Or maybe LastPass still doesn't really know and is just giving a potential reason, like they did earlier saying it was credential stuffing.
I'd already stopped using LastPass years ago and deleted my account when this current mess started, so they weren't really going to win me back anyway. But the (current) response to this incident leaves plenty of unanswered questions.