The location supplied by the LastPass notification for these login attempt IPs seems off. E.g., just taking some of the IPs most frequently posted here as sources of master password login attempts:
196.19.204.79 Stated location: India
WHOIS: Poland Warszawa Unit 117, Seychelles (Legacy) AFRINIC AS202769 COOP, US
160.116.206.37 Stated location: Germany
WHOIS: Affiliated Computing Services, South Africa AFRINIC AS262287 Maxihost LTD, BR
168.81.122.153 Stated location: Germany
WHOIS: Seychelles AFRINIC 202769 COOP, US
Someone is probably putting bogus information into the routes for these IP ranges. But what do all of these IPs have in common? According to my records, they are all related to a dodgy hosting provider in the Netherlands called Ecatel, now called Qasi Networks or IP Volume. And this is all disputed AFRINIC IP space, as per:
196.19.204.79 Stated location: India WHOIS: Poland Warszawa Unit 117, Seychelles (Legacy) AFRINIC AS202769 COOP, US
160.116.206.37 Stated location: Germany WHOIS: Affiliated Computing Services, South Africa AFRINIC AS262287 Maxihost LTD, BR
168.81.122.153 Stated location: Germany WHOIS: Seychelles AFRINIC 202769 COOP, US
Someone is probably putting bogus information into the routes for these IP ranges. But what do all of these IPs have in common? According to my records, they are all related to a dodgy hosting provider in the Netherlands called Ecatel, now called Qasi Networks or IP Volume. And this is all disputed AFRINIC IP space, as per:
https://krebsonsecurity.com/2019/12/the-great-50m-african-ip...