[WarOnPrivacy]

There might be a cluster of old accounts in play and perhaps a smaller cluster of newly created or newly changed accounts. This hints at the possibility of more than one bad actor.

It's possible the old accounts could be some old stock sold on a darknet forum and are being bundled in with the newer hashes/pwds. It's also possible that the entity harvesting the newer hashes/pwds isn't the same one who is amateurishly attempting to access the accounts.

Note: Lastpass's geolocation may be off (even more than usual for geolocation) as some of the IPs are in ownership dispute and all of them may be for VPNs.

[palant]

Yes, the sample is rather small to draw conclusions from. The biggest concern however are the people who got the notification again after changing their master password. It just doesn’t make sense if credential stuffing is what we are talking about.