[skarz]

Passwords were NOT compromised.

It is hackers using existing compromised email/password combinations on brute force attempts at Lastpass.

That is why your Lastpass password should be a password that you have not nor will ever use on any other site.

[jerf]

I'm not sure we can concretely say there was no compromise.

However, at the moment I'm not satisfied that a compromise has been demonstrated, either. As near as I can tell, nobody has reported a compromise, just suspicious emails. That's not enough evidence to prove a compromise.

LastPass' response, so far, adequately covers what we've actually seen.

[latortuga]

Plenty of folks who reported getting this email from LP, including myself, reported that they used a strong unique passphrase for LP only.

[tuwtuwtuwtuw]

LastPass wrote that there was a bug causing these emails to be sent.

That may be correct, because several persons have reported reproducing that issue before the LastPass fix - they have written that they logged on with incorrect password while using an IP from another country and still got the email that their master password was used.

[latortuga]

Very interesting and would set my mind a bit more at ease.

[roozbeh18]

OP blog suggests users receiving similar email even after changing their master password. two possibilities for LP. either their servers were hacked and hashed master passwords were dumped somewhere or as LP said, system error due to a bug.