Unfortunately, the email sent from LastPass specifically says "Someone just used your master password to try to log in to your account from a device or location we didn't recognize"
LastPass support did confirm that the IP from Brazil did have the master password.
I also tried to login with a wrong password and that shows up as "Failed Login Attempt". This is different -- the person on the other side did have the master password.
Re: KeePassX, I agree. It's a catastrophic scenario if true, but it does seem improbable.
I thought that LastPass didn't send your master password over the wire, rather it uses client-side code to take your Master Password and turn it into a hash which is then sent to LastPass for comparison[1]. If that is the case, how can LastPass claim to know that your master password was used? At best, they can claim that the hash sent to the server matches your password's hash but that is not the same as your master password being used.
Given the widespread nature of this issue, I'd guess someone has discovered a flaw in the LastPass login process which is allowing a bad hash to pass the master password hash check: that contradicts what the support agent said, but I'd assume they're mistaken, rather than LastPass are lying in their documentation about how their system works.
What's a bit surprising is how "low effort" the rest of the attack was: presumably if they found this flaw to bypass passwords, they then attempted to login (which caused an email to be sent out), but LastPass stopped them because they (i.e. the folks on the Brazil IP range) were logging in from a new IP.
So this would be a case of one protective layer (the new IP detection) compensating for a vulnerability in the other one (the password protection).
That would be "re-assuring" in a certain way (as the passwords themselves did not leak -- presumably!).
Another possibility is that one of their (many) previous security incidents led to the leaking / exposure of master password hashes, and maybe LastPass don't treat the password hashes as they should (as a password!) and didn't take steps to ensure that any compromise hashes couldn't be re-used. So, potentially, your master password is safe, but there's a hash of it floating around.
Personally, I've long recommended people stay well clear of LastPass for their bad record of security, so shipping a bug in password-hash verification, or treating password hashes haphazardly would not surprise me in the slightest.
If Lastpass was zero knowledge then this wouldn't make sense. The master password or some derivative of it should decrypt your passwords on the local device.
I use Keeper and despite it being cloud based, that's exactly how it works.
Your test of a login attempt with a wrong password was a good idea, but did you do it from a location they would not recognize? That's what you need to do to rule out that the Brazil message was not merely a wrong password login attempt.
I'm a bit skeptical that if someone tried a login with the correct password but from an unrecognized location that they would block it by default. People do travel and do change devices. It would really suck if you were far from home and needed to use one of your passwords and couldn't login because your are not at your normal location.
What I've seen from other services when logging in from a new location is either
1. They send an email or text to the email or phone number associated with the account, which must be acknowledged before the login is allowed, or
2. The login is allowed but they send an email or text telling me that there was such a login and that if it wasn't me how I can kick the person out and re-secure the account.
This item from their support site suggests that they do #1 [1].
LastPass does send out an email every time that there is a new login attempt with the correct password from a new ip address. An included link from that email must be followed for the ip to be approved. Then, you can actually login from that ip. (and yes, that's annoying re: travel/ip changes...)
When a wrong password is entered, no email is sent.
I tested the above (using a new ip with correct password -> email; wrong password -> no email) and it also aligns with what my "Account History" shows. There's a list of bad password attempts, and there's a separate list of "Login Verification Email Sent" i.e. the password was correct (presumably -- or maybe its hash -- that's one theory going around) but it was from a new, un-verified-so-far ip.
I've had that exact thing happen before when logging on using my phone's hotspot. It did really suck, and what I ended up doing is remoting into my PC at home. I feel like they care a lot more about false negatives versus false positives.
LastPass support did confirm that the IP from Brazil did have the master password.
I also tried to login with a wrong password and that shows up as "Failed Login Attempt". This is different -- the person on the other side did have the master password.
Re: KeePassX, I agree. It's a catastrophic scenario if true, but it does seem improbable.