[wwkeyboard]

They claim to have 30,000,000 users but we've only seen a handful of reports about this, why such a small percentage? Wouldn't someone with a full list of passwords want to exfiltrate as much data as possible before it became obvious they had the creds?

[palant]

First of all: I don’t think that all accounts are affected. For example, my own account didn’t receive this message. Assuming that indeed a logging server was compromised, we don’t know under which conditions the password hash is logged. Maybe it’s only people who used the web interface to log in, or only people who changed their master password, or people who hit a particular error condition.

Second: People only notice the failed login attempts. I don’t know what exactly this attack looks like, but I doubt that the point is triggering these alerts for as many people as possible. They rather want to log in successfully, meaning without any alerts being produced. Who knows how often this happened without anybody noticing?

Finally: We only know about people who were concerned enough about these alerts to write about it on Hacker News (or in some cases Twitter). That’s a tiny fraction of all LastPass users.

[WarOnPrivacy]

There are ways this scenario could manifest. The person submitting the passwords could have purchased them on the darkweb and may be figuring out how to use them. We'd be seeing the trial+error part of their learning curve.

[f38zf5vdt]

Whoever first gets a hold of the password hashes would need to bruteforce individual entries or cross-check them against known leaks for reuse, which takes time. It's natural that they would only go after high value targets like famous people, cryptocurrency users, etc, then resell the database after they got as much value out of it as possible.