|
|
|
|
|
|
by chikfilley
1637 days ago
|
|
|
The actual security event and the email bug are two separate problems they are combining to obscure one with the other. Accounts were compromised by credential stuffing and password reuse, a bug did break some of the security controls that would normally protect accounts when a specially crafted request was sent to authentication services (allowing some of the stuffing to occur). Weak securoty controls design allowed attacks to continue in other scenarioa. What probably stopped this from being a bigger story the MONTHS ago that it took place was the fact so many lastpass accounts are abondoned accounts that don’t get run through a garbage process, or primary email account was also compromised, or users with weak passwords that are low tech IQ and not aware of the activity in their account or unsure how to handle it. Check Twitter, it started with a user complaining about account takeover and losing their coin wallet (and thousands of dollars) (stored password in LP). There were thousands of accounts compromised this way. |
|
|
Were those requests the ones that triggered the emails that many of us received, and were those requests made with the correct or incorrect passwords?
Do you have an explanation why some people changed their LP passwords, and then received another login attempt alert email after that? Is that a coincidence (i.e. it was just more incorrect credentials still being tried on the same accounts) or was the attacker aware of the password change? Did the attacker have access to the new password or not?
Many of us received the alert email that our passwords had been used (i.e. an attempted login with the correct password from a new IP), but swear that those were unique passwords (in my case, it was computer generated, locally stored in KeePass and never re-used -- many other cases like that). Did the attackers have our passwords in their possession, or no?