This is what's really, extremely troubling: some of the accounts (which had almost successful login attempts from the 160.116 range) here were created years ago. Mine was from 2017, others were too.
But a few reports, like yours, talk about recently created accounts.
In my personal case, I've never logged into that LastPass account since 2017.
So... was there a vulnerability back in 2017 and very recently? Or was this a recent vulnerability? Do the attackers have our master passwords, or did they discover some ability to counteract the master password verification, which is triggering those emails to be sent?
Could it be that some malware were run on your machines recently (say a few weeks ago) which extracted the master passwords and then used it now? If your LastPass master password was stored on your computer then malware could have collected it and sent it off to some attacker.
Or could it be that all of you guys are using the same router, same ISP, same anything-else, which has snooped on traffic and collected the credential?
Malware is not impossible, but in my case, the password is stored in an encrypted keepass file. Did the malware wait for me to open my keepass vault and snoop the password then? Possibly. But it presumably could/would have done much worse things.
Other people in this thread are also confirming that their password was unused anywhere else.
And as more independent people are reporting the same story happening to them, the less probable it is that we were all hit with the same malware. It's looking more and more like this is something happening on the LastPass side.
A router/ISP should not be able to snoop the traffic between us and LastPass as presumably it's encrypted.
Let me preface by saying I'm speculating of course.
> Did the malware wait for me to open my keepass vault and snoop the password then?
It's not impossible at least. There's been vulnerabilities in Keepass RPC which allowed any javascripts on Internet reading your passwords [1]. If a simple javascript can read secrets from keepass, I would not be at all surprised if that has happened.
> the less probable it is that we were all hit with the same malware.
Sure. But there's also some selection bias here, were a lot of people visiting hackernews is affected. On twitter, everyone (more or less) who's discussing this issue links this post, which at least in theory could indicate that the scope of the issue is relatively narrow (compared to the entire internet). It could be that some specific developer tools or libraries have been affected for example (as any of the recent packages on NPM which people claim may have sniffed credentials).
I copy/pasted the password from 1Password, it may lend credence to the malware Chrome extension theory, at least in my case. Anybody else using these?
uBlock Origin, Google Images Restored, Allow Right-Click, Clear Cache, StartMeeting.com Launcher, ShowPassword, Tampermonkey, Usability Hike: Find usability problems, Window Resizer, Tag Assistant Companion, Google Analytics Debugger, Google Docs Offline, Google Optimize, Google Suspicious Site Reporter
I use uBlock Origin too (only one in common with you), but in my case, I hadn't copied/used the master password before the login attempt
The login attempt was out of the blue, using a password I hadn't used since 2017.
My LastPass password may have been compromised back in 2017, but there are at least two reports here of recent accounts being compromised as well (with the attacker connecting from the same 160... IP range)
happened to me too, the only one there I have is uBlock origin, matched what somebody also had. Hard to imagine it's ublock origin though because it has so many users.
Would you mind sharing the ip address that attempted to login?
Also, you created the account this year, in 2021?
Thanks