Ask HN: How could someone have guessed my LendingClub password?

3 points by minton ↗ HN
I used 1Password and my LendingClub account has a 40 character randomly generated alphanumeric password. I do not reuse passwords. This evening I received a "one-time" code with login details saying someone attempted to login.

  Login Details
  We noticed a login attempt from the following device and location.
  Location: Ashburn, VA
  Browser: Chrome
  IP: 52.5.126.46
How could someone have guessed such a password?

5 comments

[ 6.5 ms ] story [ 27.5 ms ] thread
That IP address is an Amazon EC2 instance...are you using a proxy or VPN?
I do use a VPN but I was not accessing the site, I was watching a movie when I got the email.
Login Attempt = Failed Login

Login = Successful login

I don’t think it’s a failed login attempt since I received a one-time code. Also, this is the same email I get when I try to login.
Assuming someone did get your password and you are the only with access to it possibilities range:

you having logged on a different computer where your password was recorded,

your password being stored in ram and accessed by a malware,

your 1Password account being violated,

LendingClub had a data leak and they do not hash their passwords

You gave your password up in a phishing attack

I’m sure there are more that I haven’t thought of.