[overlordalex]

What is your opinion of the analysis from LastPass themselves?[0] It seems to have been some internal alerting that went wrong, which does happen from time to time.

> Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity [...] We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.

> Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error.

[0] https://blog.lastpass.com/2021/12/unusual-attempted-login-ac...

[palant]

The formulation is vague enough that it could mean anything. Maybe the alerts were sent out by mistake which would be good news. But they don’t quite say that. Their statement might also mean that they rather disabled legitimate alerts so that people don’t get concerned. So they might have “cured” the symptoms without addressing the actual issue.

It certainly isn’t reassuring that they keep talking about credential stuffing, even though it’s quite unlikely to be the culprit here.

[WarOnPrivacy]

>Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.

This added bit hints that these emails were erroneously sent in response to the wrong password being attempted against the master account (which normally doesn't rate an email). It isn't fully spelled out tho.

LP spends most of the blogpost going on about bad user practices - which feels a lot like gaslighting in this context.

edit: I'm leaning toward accepting LP's incomplete, forced explanation and that hackery isn't in play here.

[GavinMcG]

> erroneously sent in response to the wrong password being attempted against the master account

This seems likely. After the original HN post, I went to delete my LastPass account as I've been using Bitwarden for several years. I initially used the wrong password, but then successfully logged in.

I got the alert email in question, so either it was sent in response to the wrong password (incorrectly) or it was sent in response to the full login, which of course wasn't blocked. The former seems more likely to me.

[tialaramex]

I agree that it's more likely review misses a change that results in spurious "Correct master password" emails than say, a change that lets people log in as you without the correct password.

It could also happen that there's always been a low frequency bug (e.g. 1 in every 50000 failed login attempts is mistakenly treated as "correct master password" and triggers email) but the nature of it was triggered more recently by some change in attacker behaviour.

e.g. imagine your bug is, if the failed login occurs just after the top of the hour, a variable somewhere has recently changed and this is mistaken as "correct master password" even when it isn't, so the email goes out. Somebody at LastPass finds this bug, it's happening maybe 2-3 times per month, no big deal, P3 give the new engineer trainee something interesting to look at in 2022.

But meanwhile bad guys discover the timeout they've been fighting resets hourly. Instead of one attempt every ten seconds per IP address in the botnet they're using to try phished credentials, they can do 360 attempts in the first 10 seconds of the hour, then do something else with the botnet for the rest of the hour. Now most of these attempts hit that bug, and suddenly dozens of spurious emails per hour are going out to your users. Ouch. Now, who is going to explain to the big boss that this is the same bug you triaged as P3 last month?

[marcosdumay]

> LP spends most of the blogpost going on about bad user practices - which feels a lot like gaslighting in this context.

He spends most of the post dismissing user error. That looks very reasonable to me, as those are the most likely issues by a large margin.