Ask HN: How did my LastPass master password get leaked?

877 points by gregsadetsky ↗ HN
Hi,

I've just had a bizarre thing happen and wanted to see if the HN community could come up with some theories as to what happened.

LastPass blocked a login attempt from Brazil (it wasn't me). According to an email I received from LastPass, this login was using the LastPass account's master password. The email doesn't look like it's a phishing attempt.

What troubles me is that the master password was stored in a local encrypted KeePassX file.

I can imagine that someone has my KeePassX file and the (completely different) password to this file. If that's the case, I'm in a world of hurt.

But are there any other possibilities? Is the email from LastPass accurate i.e. was the login attempt actually using my master password? Is there some LastPass extension installed on some computer still having a valid auth token allowing them to login as me to LastPass..?

I'm really confused, and scared.

Thanks for your help.

P.S. The LastPass account had 2FA set up, but I was able to simply remove it (since I didn't have access to the token anymore). That's scary too -- what's the point of a 2FA you can remove...??

---

Update:

- the email was truly not phishing -- the same information regarding the login attempt appears in my LastPass dashboard. I also talked to LastPass support over the phone, and they confirmed seeing the same information.

- There are 2 separate users in the thread below confirming that the same exact same thing happened to them, from the exact same IP range as me.

Either the 3 of us had the same malware/Chrome extension or somehow had our master passwords compromised...? Or...? Is this a LastPass issue?

528 comments

[ 2.0 ms ] story [ 176 ms ] thread
I'd get in touch with LastPass support asap to see if they have a digital trail to help you figure out what happened.

I'd also guess the most plausible situation would be malware on your computer that managed to sniff your credentials in-transit/clipboard/memory/browser/keyboard and exfiltrate it to some shady folks.

Thanks

Sending emails to support@lastpass.com doesn't work ("This inbox is not monitored") and I have to upgrade my account to contact their support, which I'll do right away.

EDIT: after checking, the login attempt does appear in my Account History (my original email said it didn't -- I wasn't looking in the right place)

I'm pretty sure you can get a full login attempt history from them in the ui - can't verify though, don't use LP anymore.

Try a bogus attempt yourself with wrong PW, or from a cloud host/vpn/etc to verify the audit log you can access.

Assuming it does list your attempts, then yeah, it would have to be phishing/lp bug.

Yeah, thanks, I was finally able to find my Account History, and the foiled login from Brazil does appear there. So it seems like the email wasn't phishing.
Heh, I reached out to that same email literally earlier today to complain about their abysmal Android support, and I'm already a paying customer. I'm not happy with their non-response automated email and will be looking for a good alternative.
I suspect that it was a random phishing attempt.

> Login attempt blocked

> Hello, Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.

Looks fairly classic. Might want to look at the email headers, to see if it really came from LastPass.

I get about ten of these a day. Some are scarily well-done.

Most are for banks that I don't use, but I also get a lot of attempts to grab my AppleID. My Apple (mac.com) address is an OG address, and has been making the spammer circuit for over a decade. I suspect that I actually get hundreds of spams a day, but Apple is good at nuking most of them, before they reach my inbox.

I checked and the same information regarding the attempted login appears in my LastPass "Account History". I also talked to support and they've confirmed this.
Quick note that apple allows you to download a recovery code and disable all other account recovery mechanisms which I found incredibily soothing.
I sense sarcasm, but in case my sense is off, there is a webapp which allows you to log into your apple account and webapps are known to sometimes have security issues.
My bet would be on malware or compromised browser extension. You probably typed (or copy/pasted) the password ans something kept a copy along the way.
Compromised browser extension could make sense, aye.

Do Chrome extensions have access to the file system too? Is there a chance my local KeePassX file has been siphoned off?

Thanks

I don't think that's possible, more likely an extension that has access to the login form of lastpass
Got it, thanks. And yes, you're right, after checking, Chrome extensions don't have access to local files by default. I checked all of the extensions I have (after disabling them all) and none had "file access" enabled.
Clipboard access might be possibility.
Chrome extensions can run native binaries, so yes.
they can't
They can. Look up native messaging ports.
that doesn't let you launch processes, it lets you interact with running ones. even if the chrome extensions could launch new processes, they run inside Untrusted integrity level on Windows, you can verify this at chrome:sandbox and checking the Chrome task manager (shift+esc). You cannot interact with processes above your own integrity level nor launch processes with an integrity level higher than your current.
Since your master password is stored in another password manager, would it be accurate to say you copy/paste it into LastPass? If so, something running on your machine could be scraping your clipboard.

This of course assumes that it wasn’t really you from an IP that was just misidentified as being from Brazil.

For what it’s worth, I stopped using LastPass after they sold out to LogMeIn and would recommend others stop using it as well.

Yes, I do copy/paste from my local password manager. A clipboard scraper is a possibility, yes.

I hadn't logged into that LastPass account for years, so it's definitely not me who attempted to login earlier.

Re: LastPass, is there another cloud-based tool that's generally considered as more trustworthy? Bitwarden? Thanks

Bitwarden is great, highly recommend, it's open-source which adds to its trustworthiness and has a good track record of respecting users.
+1, you can host your own server as well https://github.com/dani-garcia/vaultwarden
There's an official self-host open source version as well ( the one you linked is unofficial), but it's rather heavy ( multiple .NET services, MS SQL) and not adapted for small scales.
yes, we don't talk about that one
Is the unofficial one Security Audited?
Unofficial server so you probably should avoid the web application (or build it yourself from official sources). In theory it could contain malicious code that leaks your password.
I'm in this party too. bitwarden for yourself, friends and family...
I use 1Password, seems alright security wise, won’t definitely say one way or the other, but you could DYOR on it.
Personally I just stick to local Keepass database files. I’ve never ventured into the cloud based services. If you are really worried about it, do you really need to use a cloud based password service?

Sure, managing the KeePass files by hand is certainly more cumbersome, but to me it’s worth it for the security/ peace of mind gains. I have never put my DB or key files in the cloud. And when I need to sync them up over all my devices, I gather all the DB files and use the handy ‘merge’ functionality to get them into the same state.

TIL about the merge functionality! You can also use Syncthing to synchronise the databases between your devices; if you don't have public IPs for your devices, this essentially means that you can only synchronise when two devices are on the same network -- but this might not be a problem for you.
Syncthing works great even behind a NAT, not sure how it works but it just works for me (might depend on your NAT though)
I've had zero success with nat hole punching in the past, on multiple networks. Maybe I'm just unlucky. :)
Some routers have UPnP disabled by default, maybe enabling that would help?
You can also use Syncthing and the merge function! It comes in very handy when two devices have made changes to the password database file and you end up with merge conflicts :D
Same here, I use KeePass on several Windows machines, and on a couple of Android phones (using KeePass2Android). I use a cheap VPS as a central point for syncing - so I can make changes on any machine, then sync them over SFTP, which merges the changes into the database on the VPS. I can then hit sync on any of the other machines, and it will pull down the latest database over SFTP and merge in the changes.

It sounds a bit complicated reading this back, but in reality it's pretty straightforward.

why not just use dropbox? and secure dropbox using 2FA?

FWIW, I used to run nextcloud on a ec2 instance. Decided to just use dropbox instead. the webdav support on nextcloud was neat with keepass

I have the VPS for others things anyway, and I don't use Dropbox.
My whole point was I like to be in total control my password database, and never have to decide whether to trust a third party provider or not.

Not saying Dropbox or lastpass isn’t trustworthy. Just that it’s a point of failure you can eliminate, if the lack of convenience isn’t a huge deal to you.

I absolutely agree. I love KeePass and use it for everything... this LastPass account was setup to share passwords with others at an org that I worked at.

The problem is... that LastPass password, the one stored in KeePass, is presumably the one that was leaked.

Which is what is spooking me -- if someone has access to my entire KeePass file, it's game over.

So...when you say "...was setup to share passwords with others..." is there a chance that this also means the master password was shared with one or more others?
Sorry, no, that was a confusing way of phrasing it.

The LastPass account that was almost-breached today uses the "password sharing" functionality to share passwords (to certain sites) with other people in the same org.

I was just explaining that the only reason why I have a LastPass account was to share passwords. (not the master password, obviously -- I was sharing passwords to other sites)

I typically use KeePass for all of my (site) passwords and keepass stores all of this in a local encrypted file.

Yeah, hard to say. I don’t think it means it’s ‘game over’ though. I think it just means you might need to go through the tedious process of walking through your whole DB file and update every password. And generate a new key file. Then and only then will you have peace of mind I think. Good luck!
Just configure keepass to sync with a file stored online when opening or saving the database and you have the same convenience. Syncing the main database file itself fails if different systems change the file without reloading in-between, but with sync configured it works perfectly.
Why do you recommend others to stop using LastPass?
From my interaction with LastPass support (I'm a premium user), they've outsourced to some cheap company where agents have no clue how anything works. It took weeks to get through to somebody who even understands the problem and their reply was essentially "yeah we know it's broken, it's broken because of security".

Left a really bad taste in my mouth. I wouldn't be using them at all if I didn't have to for a client.

I remember reading a blog entry, a few years ago.

Someone received a phishing email from "their bank."

They responded to the email, and got someone on the horn, immediately.

But their bank (the real one), sent them to a horrifying voice jail.

The point was that the crooks gave better customer service than the real bank.

It makes sense economically. Crooks will steal ~100% of your bank balance in one day. Bank itself earns 1-2% per year.
Yup. The blogger was just being cranky about their bank.
Barclays recently tried sending me a new credit card because they were changing to Mastercard or something.

I got an email one day that my new Barclaycard was activated. Called support, and they swore to me it was a phishing email (it was definitely from Barclay's official domain). Would not listen to me at all and kept trying to get me to hang up. I asked if I could tell them the email MessageID and they could verify the authenticity. They said no.

About 10 minutes into trying to convince them it was not a phishing email, I refresh my dashboard and there was a $600 purchase at a Long Island Walmart. That shut them up really quickly and they transferred me to their fraud department who asked me for the MessageID at the bottom of the activation email and confirmed it was real...

I asked if I could set up any additional security, and how could they activate a new credit card? Did they have my online password? Apparently no, you can just call on the phone and activate it, no authentication required. They told me I could set up a "voice password" for my account for all phone support and I did just that.

I called them back 30 minutes later, got through to support to where I could change anything about my account. Asked them if my "Voice Password" was enabled. "Yes it is." "....Okay, no one has asked me for my voice password yet, and here you are about to change my address". They still didn't really understand the seriousness, so I told them "I'm not <my name> I'm a hacker trying to steal his money." and they understood.

The worst part? I couldn't cancel that credit card until they physically sent me one to activate. No way to visit a branch and get one. It ended up getting stolen out of the mail THREE TIMES before they finally sent it with a signature required.

LastPass has suffered a few security breaches and the overall quality of the product hasn’t improved. 1Password is a superior product with no security breaches.
I just switched last night for unrelated reasons

1. BW supports inline Android 11 password fill. I find the UX much better with this feature

2. LP is a bit buggy, particularly on Android

3. LP is slow to add new features

4. I didn't expect this, but I really enjoyed BW's UI

5. On Android, I enjoy the three quick launch buttons they provide

6. LP creates new logins in folders of it's choosing by default. Not a fan

But in general, BW it just "works" better/faster for me

Because LastPass is beyond stupid and uses your master password to log in to their bbulletin or whatever php forum.

That’s what got me to write and publish this: https://neosmart.net/blog/2017/a-free-lastpass-to-1password-...

EDIT: "or whatever" means I couldn't remember the name of the php forum notorious for its insecurity, I thought it was something like 'bbulletin'. It was phpBB.

Sorry, what do you mean by "to log in to their bbuletin or whatever php forum"?

According to LastPass, they don't have access to the master password // presumably it's not stored on their side. Is that accurate..?

Thanks

I don’t use Lastpass, but if what you are saying is correct, they could not have sent the OP an e-mail (assuming it’s legit) informing them of the attempt to sign in using the master pass from Brazil, right?
Cryptography means lastpass doesn't need the master password to verify the password.
If you have the hash and algorithm used to generate it of a human generated password you can in the vast majority of cases get the password.

It’s a combination of people being very bad at generating, remembering, and entering passwords plus generally being unwilling to wait minutes or even seconds to generate the hash on their local computer.

> If you have the hash and algorithm used to generate it of a human generated password you can in the vast majority of cases get the password.

I mean, technically this is true, but it's also true if you have the ciphertext of the stored-password database, which is sort of LastPass's entire job. ;)

The only thing that might make it harder to brute force the master password with the latter than with a hashed password database is if the key derivation algorithm differs.

But I think your blanket statement is sort of misleading. In principle, if you trust someone with your encrypted password storage database, you should trust them with a hash of your master password; both serve as brute forcing oracles.

MD5 is long considered a broken, weak hash algorithm. Here is the MD5 hash of a password:

d9afca35a87a2af4168500640fcf2370

Password is 16 characters long, all lower case, no numbers, no special symbols.

Please tell me the password.

What percentage of people do you think actually use 16 character passwords?
Probably pretty low.

I use 64 character passwords, or if there is a length limit, always the longest possible. That’s the beauty of using a password manager :)

Do you use 64 character master password?
I consider mine pretty long, and it's right around 30 characters.
One advantage about having memorized a bunch of poetry back in the day is I have a lot of secure long passphrases to hand

Aesop, my author, makes mention of two mice and they were sisters dear 1234567890123456789012345678901234567890123456789012345678901234567890

70 and little effort

56 billion md5 hashes per second for $1.80 per hour at OVH. (single Nvidia Tesla v100 GPU)

Still a no-go for plain old brute forcing all a-z combinations. But, if your password is some combination of actual words, common keyboard sequences, or anything else in a password dictionary, it's cracked pretty quick/cheap.

(comment deleted)
After a bit of searching, I wasn't able to find any PHP forum software that LastPass lets you log in to. I could only find one official-seeming forum, and it uses a different login. So, I think this is FUD... I don't use LastPass, but accusing them of something like this (and using the phrase "or whatever") is pretty serious without proof.
They appear to have sunset their phpBB instance. It was the main hub and support portal on their website with up to thousands of active visitors at any given time. You can see it archived here:

https://web.archive.org/web/20150629081250/https://forums.la...

Here's the archived phpBB login page. It asks for your LastPass login and password (not your forum account, your actual LastPass login and actual LastPass master password):

https://web.archive.org/web/20150717071236/https://lastpass....

Here's a past HN discussion from the time with some guesses at how such a phpBB login using the master password could, theoretically, be implemented without knowledge of the password. Note that this doesn't imply it's possible to implement it in a way that would be resistant to their web server (running phpBB!!!!) being compromised: https://news.ycombinator.com/item?id=16016171

Unless I’m misremembering, the login to their general system was done by never sending the password over the wire. Instead they used js to do some sort of hashing type system locally.

But during the heartbleed attack when their systems were shown to be vulnerable, that was one of their arguments as to why it wasn’t so bad.

They pretty heavily fumbled exactly this heartbleed response too. They claimed they "weren't vulnerable" because of this setup but they clearly were. If you exfiltrated an SSL key, which heartbleed allowed, you can serve whatever JS (including JS that just explicitly exfiltrated your passphrase) you wanted to end users.

LastPass is full of clowns. There's already two examples of their cavalier approach to what should be simple security in this thread and I'm pretty sure there are more.

> Instead they used js to do some sort of hashing type system locally.

Just the other day a co-worker brought up this idea as an offhand remark. After bouncing it off those present, it took him all of twenty seconds to see why it might do harm and will do little good.

You'd think a password manager would employ some security minded people who could shoot down ideas that bad immediately.

What were the counterpoints?
A weakness in your clientside hashing will make your site weaker to brute-force attacks, since it will reduce the number of hashes (or passwords) an attacker has to try (collisions in client-side hashes will too, but very negligibly for a good hash function). It's also impossible to recover from without relying on another form of authentication to re-establish trust. For many sites this means downgrading to single-factor.

Any hash upgrade mechanism can be abused by a (possibly MITM) attacker to change a user's password while leaving you and the user none the wiser that specifically this occurred. If you need to lock someone out while their phone is beeping at them over their bank account being emptied, while not even making it look like their password was changed, that sounds like a fun way.

Lastly it's virtually the same as plaintext, since any salt will be known by even just a passive attacker. A true MITM won't even have to brute-force the hash.

Conclusion: Might do harm, will do little good.

I don't think this is accurate. It appears that the phpBB instance performs a redirect to a SAML login, meaning the login page where you're being asked for your master password is the regular login page.

Now, the fact that they have a web-based vault access requiring entry of your master password? Pretty bad, considering you can't disable it, and it's automatically activated even when just using the browser extension (at least as of a few years back, when I asked them to fix that.)

You don't need access to a password to check it, just the hash (then they hash what you enter and compare the hash to the one they have). So both "They use it to log in to their whatever" and "They don't have access to it" can be correct.
If there’s a breached phpbb instance, the attacker can modify login.php to log plaintext credentials.
There's a level of irony in complaining about LastPass's security, followed by suggestion people run their passwords through random third-party software that you wrote. Even if your code isn't malicious (which I believe), it opens up so many potential attack vectors.

For anyone reading this, please use the official 1Password import functionality, not this: https://support.1password.com/import-lastpass/

There was no 1Password to LastPass importer at the time I wrote that (believe me, I looked because I have better things to do than write apps to benefit a commercial entity like agilebits otherwise), and of course the code is published on GitHub and released under the MIT license. It's very short and simple and rather easy to review. It's also a .NET executable, which is ridiculously easy to reverse-compile back to C# (not just assembly) so you can even check that I'm distributing an exe that does the same thing as the code I published.

EDIT

I just revisited that link I shared, and I have to say, it takes some real chutzpah to turn around and accusing me of advising insecure practice when the link I shared literally talks about just that:

Due to the nature of this application, 𝘄𝗲 𝘀𝘁𝗿𝗼𝗻𝗴𝗹𝘆 𝘂𝗿𝗴𝗲 𝗲𝘃𝗲𝗿𝘆𝗼𝗻𝗲 𝘁𝗼 𝗱𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝘁𝗵𝗲 𝘀𝗼𝘂𝗿𝗰𝗲 𝗰𝗼𝗱𝗲, review it quickly, and compile it yourself to use this tool. However, we do recognize that this may be beyond the means of all security-minded folk out there looking to make the switch, so we are providing signed binaries available for download. If you do opt to use the binary download, make sure to validate the authenticode signature like so: ...

Just because you put a warning label on a bad practice doesn't mean it's a good practice.

Pumping your passwords through some random code on Github that has a "be smart" label doesn't make it a good idea.

Would be so easy to imitate you, reupload the code with an exploit. For giggles, if I was making this into a hijack I'd leave all your warnings in and even make them bigger and more obvious, confident in the knowledge that 99%+ of my stolen users wouldn't read the code or would just download the binaries sight unseen.

> Just because you put a warning label on a bad practice doesn't mean it's a good practice.

That is such a salient point, generally.

Funny how common it is though
1) Clone random git repo on Kali, related to Kali usage.

2) Don't read the code.

3) ???

4) Forever don't know what or when it happened.

BREAKING: There is no perfect security.

>Would be so easy to imitate you, reupload the code with an exploit.

Put your keyboard where your fingers are: do it by tomorrow morning and post here when you're done.

Well, why shouldn't people who already use insecure software with vulnerabilities (LastPass) without the possibility to even audit the code also run some code written by other people they don't know?
Clearly we both agree it's an insecure practice, since you felt it needed a warning.

Now that you know there's an official LastPass importer for 1Password, I'm curious why you're defending your version rather than updating your blog post, unlinking your original HN comment and deprecating the GitHub repo.

I believe you're genuine and just trying to help. If there's an attack, it wouldn't be you doing it – it'd be someone else replacing the binaries on an old 2017 post without you noticing. WordPress is just as insecure as phpBB. Like the other commenter said, "Just because you put a warning label on a bad practice doesn't mean it's a good practice."

cut them a break. no body's gonna to update a 2017 blog post irl, and last I checked a majority of the bloggers just use Wordpress, not exactly their problem.
I agree that's the right response, maybe just give them some time to consider it. It can be tough to give up something you worked on.
> There was no 1Password to LastPass importer at the time I wrote that

The details were hazy, but in 2016, there was a way to export your passwords from LastPass and import them into 1Password, though I don't think there was a way to do so on windows (which I believe is what your importer addresses).

After LastPass vulnerability in July 2016, I switched to 1Password.

There is, I just did it recently. It's an unncrypted copy paste dump from lastpass into 1password
This was in reference to the OP not having an option in 2017 to import to 1pass.

If I recall, I had to sign up for LastPass premium to pull my passwords to my phone, and then use keychain to import them to 1pass.

I don't think that solution would work for Windows users back in 2016.

Password managers generally use CSV, avoiding vendor lock-in. However, back when Lastpass doubled their subscription cost (yes, doubled, literally) I switched to Bitwarden. At that point, there was some issue with exporting passwords with a certain character (IIRC it was ; or #). I ended up changing the few passwords which quit working.

As for OP, my take is you clicked a bad link triggering a zero day vulnerability in your browser, or perhaps you logged in on Lastpass via a VPN or Tor? Its pure speculation though.

I am extremely grateful to ComputerGuru and others who freely share code and binaries they used to scratch a specific itch like this. As for security, I'd never dream of running anything like this outside of an isolated, offline system and would destroy the instance immediately afterwards.
There was a 1password to lastpass importer at that time, I know because I used it
There's a level of irony in complaining about malicious code, and still recommending a closed source password manager.
I can't parse this. Is your point that "closed source" is a synonym for "insecure"?
Closed source is a synonym for insecure if you accept secure means no blackbox processes.
Do you think bank ATM software/hardware, plus online banking and components should be open sourced?
Is there an official counter for phpBB RCEs/vulnerabilities that revealed user passwords? This has been going on for decades now. It's getting ridiculous.
Welcome to frameworkless PHP where code & user files are stored in the same root and any PHP file requested by a web client is executed by the server.

In most proper frameworks, including PHP ones, the only thing responding to web requests is an entrypoint file (that gets passed the request metadata including URL) and the framework takes it from there. This means that with proper configuration, even requesting a malicious PHP file shouldn't actually execute it and instead hit the framework which will promptly respond with a 404 (of course, with PHP the danger is that in case of misconfiguration the server may still prioritize an exact path match and execute the file rather than defaulting to executing the framework's entrypoint, where as other languages typically don't rely on the webserver to execute the files and couldn't run a malicious file even if they tried).

But these stupid legacy applications are still around and haven't been updated to fix this design flaw, so any flaw in sanitizing uploaded files turns into a persistent RCE. I'm sure some people will pitch in and say this isn't a design flaw and you're using it wrong, and while I agree that it can probably be made secure with enough effort, why leave such a loaded footgun around when this is essentially a solved problem in all other languages?

In other languages a malicious file being uploaded to the web root will at best result in a stored XSS which can be further mitigated by having your file uploads on a separate domain, but in PHP it's fatal.

> the server may still prioritize an exact path match and execute the file rather than defaulting to executing the framework's entrypoint

This is properly solved by frameworks having this entrypoint be in a ‘public’ folder and that also being the webroot, so only index.php and nothing else is available for a direct match (unless /../ in the url works, which would be a huge security hole).

we miss cgi-bin/
good mention. an rtfm for everyone else.
There is such a counter, CVE databases.

If you would actually take a look, you would realize you are spreading FUD.

phpBB has been rewritten from scratch around 2008 with phpBB3 and hasn't had a single severe vulnerability since. That's 13 years.

Sure. But CVEs don't enumerate RCEs/vulnerabilities that reveal user passwords - they care about a superset of all of that. And when you look at the common vulnerabilities in phpBB3, "phpBB3 hasn't had a single severe vulnerability" seems like very selective language.

I am merely giving my unprofessional opinion that phpBB(1+) has only caused harm. A significant portion of leaks seem to be attributed to it. They really could have done better, and their reputation is forever dead.

To make clear: I am sure that the current version of phpBB works just fine and isn't as disease ridden as we all know it to be. However, the fact that all of these issues have existed for so long means that perhaps we need to take a look at the software as a product and determine that its performance has not been good enough, and to expect similar performance in the future.

(comment deleted)
Without knowing anything about LastPass, a few ideas come to mind. First, is your master password only something that exists in your head? Or is it written down anywhere else either digitally or physically. If so, someone may have gained access to that. Did you use the same password anywhere else, ever? If so, it could have been in a database of possible passwords that someone used to try to brute force a copy of your KeePassX file, and succeeded. Also possible liabilities for brute force attacks are using a password that contains some kind of facts or information related to you, such as a birthday, loved one's name, address, etc, etc.

The other possibility that comes to mind is a man in the middle attack of your password was ever sent over the wire with zero or weak encryption, when someone was snooping, like on coffee shop wifi or even a nosy neighbor on your home wifi.

Thanks -- this specific master password was only stored in another, offline, password manager.

The specific password was computer generated, and I have not used it anywhere else i.e. it was only created for this LastPass account.

That's why this (probably) either means that my local password manager has been compromised (catastropic if true) or that the info I received from LastPass is not completely accurate..?

I'm guessing that the email actually was a phishing attempt, and no-one actually has your LastPass master password.
Unfortunately, once logged into LastPass, I see the exact same information in my "Account History". I also talked to support on the phone and they confirmed it.

So unfortunately, not a phishing attempt!

Other poster above says support confirmed the master pass was used
Just checking the absolutely obvious, because I had a similar thing ... and then it turned out I had my VPN on. Thought I'd double check, in case someone was a silly as I am.
Yes. Tor or a VPN was my first thought as well.
Thanks -- the original login attempt wasn't mine, so yeah. Not in this case.
That's too bad because that would have been a nice way to end this. Much good luck figuring this out, until further notice I would assume that anything that was in there is compromised so you better change your passwords.
was it a login attempt or an actual login?
It was a login that (presumably, from what LastPass is saying) was "successful" in the sense that the attacker had the master password.

The login was blocked because they automatically block any new IPs from logging in until you approve a link that you get via email.

A login attempt without the 2fa token, failed with valid master password, so far a handful of others have reported it in this thread.
It's a side note, but I had 2fa enabled on my LastPass account but didn't have access to my token (it's an old phone that I don't have anymore).

I was able to remove the 2fa by clicking a link that LastPass sent to my email (confirming that I wanted to remove the 2fa).

So if anyone has your LastPass master password and has access to your email, it's game over and having the 2fa enabled on the LastPass account won't do anything.

Lol, that's horrible. Between things like that and simjacking, phones seem to be a terrible thing to involve in security. And people, I guess.
Yeah, and I used an app instead of sms on my phone for the 2fa token. Didn't make a lick of a difference...
Guess? Either you fell for a phish or my intuition tells me you may have run an infostealer malware (exfils data and leaves little trail). No matter what type of 2fa you have, it is useless if the auth token can be accessed post authentication (cookie theft basically).
This also happened to me back on Nov 10, 2021. I had an old LastPass account, wasn't using it, when all of a sudden i get an email:

-- Login attempt blocked Hello,

Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look. ---

Like you, it told me that the attempt came from Brazil, using an IP address starting with 160. I have no idea how they would've gotten that password. Made me wonder if LastPass had some issue, but nothing was in haveibeenpwned

What, really??

This is too crazy of a coincidence to be a coincidence.

This is exactly what's happening to me, and same IP prefix.

What does it mean?

---

How old of account was this? Can you contact me by email (email in my profile)?

---

Two theories:

- there is a problem with LastPass

- you and I both had the same Chrome extension installed that was actually compromised, and that extension was listening to/sending passwords typed into lastpass.com

I last used this account/master password back in 2017. Is that similar-ish to when you used your account?

posting another comment here too for visibility, but this _just_ happened to me as well....

Time Monday, December 27, 2021 at 1:41 PM EST Location São Paulo, SP 01323, BRAZIL IP address 160.116.88.235

Not sure it's really in Brazil.

LACNIC says the IP range was transferred to AFRINIC. They then say that it is owned by:

Affiliated Computing Services (Pty) Ltd descr: P. O. Box 261333 descr: Excom 2023 country: ZA

But then further note that ownership is in dispute! We need someone to look it up in the current routing tables to see where it's presently being routed to.

I also saw that very weird thing -- Brazil vs AFRINIC.

Help/insight from ASN? BGP? networking experts would be appreciated..! Thanks a lot

That IP is present in a cn record for visit[.]keznews[.]com, whose whois record lists an admin contact in CZ.

Be very wary of geo-ip results, on the modern internet they are effectively useless.

Ignoring VPNs, why are they useless?
Why ignore VPNs? Im sure someone else can chime in but to my knowledge that's what makes them useless. You can't be sure someone isn't running VPN, then you can never be certain GeoIP is correct, thus it's useless.
Because everyone knows that VPN IPs’ geoloc is useless, so I assumed that those were being ignored. Also because it’s possible to see if an IP is (possibly) a VPN one by looking up the owner.
As with most things IP-related, this is only somewhat true. There are a lot of VPN providers that specialize in not getting their exit IPs marked as VPNs, so just because an IP isn't listed as a VPN by your intel provider of choice doesn't mean it's not a VPN. GDPR also means finding netblocks with super generic IP-whois is really easy.

Geo-ip is a perfect analysis trap, because it seems like it's probably a good idea so people put it into the roadmap. Then they spend forever tracking down all the ways it doesn't work (I bet you have customers in whatever geo you're thinking of blocking, there's a surprising amount of netblocks that are attributed incorrectly, etc), and then the sunk cost fallacy leads them to maintaining their creaky system. Imagine what you could have done with that effort in the meantime.

Now, let's put our badguy hat on. It takes effectively zero time to tell if your target is geo-blocking (compare your port results between several geos, or cheat with censys and shodan). Being blocked? Launch your attack from IP space in another geo. Pro-tip on that: nobody blacklists cloud provider IP space because of VDI solutions. You can migrate between stolen cloud accounts faster than the provider can suspend them, especially for reconnaissance and initial payload delivery.

Edit: see also, renting time on botnets, renting physical colo, compromising residential ISP equipment, and friends.

I wouldn't go so far as useless, but they frequently exhibit significant inaccuracy, no matter which vendor/service you use. It's not unusual for me to query 7 APIs and be told the user is in 7 different cities spanning 5 states. At least there's usually a quorum at the country level. Given the market ($$$) for IPv4, this feels like it's only getting worse as more blocks of IPs are being sold, leased, transferred, even between continents/RIRs and the geo providers are always a few steps behind.

For the IP posted above, I have 3 providers claiming it's in Sao Paulo, 3 who says it's in Joburg (this is as accurate as anyone's going to get right now) and one says it's in Chicago! If I'm trying to do something with these results programmatically, I don't have a majority or a plurality to pick as a "winner" and I have to try weighting specific providers, which is a whole new mess.

Anyway, there's a good idea brewing in RFC8805 but it'd require pretty much every AS to play along.

I've routinely seen edge cases where geo IP databases are just wrong, even from providers like Google and others.

My home would routinely show up as from a country a thousand miles away. Friends down the street would show up several states over. Customers I know which were a state over would appear from a different country. The databases are usually right, but they're still often wrong. Often enough to cause frustrations.

Hmm. So I don't know if this means anything, but I was googling for the IP address and wound up at https://ipinfo.io/160.116.88.235 which says hostname: visit.keznews.com. When you go to that hostname, it's one of the best phishing sites I've ever seen. They dynamically inserted my ISP's logo (Spectrum) and tried to do a phishing attempt:

https://i.imgur.com/C9HQw1c.png

The full non-clickable URL:

  https://us.poonstate.click/us/i/spectrum/?track=u.pslnk.link&key=eyJ0aW1lc3RhbXAiOiIxNjQwNjM4NTIyIiwiaGFzaCI6IjNiZjRkYTg5MTA5MzMzNmU5NjRmMjZiNDY1NWUyN2UwMjk3NzI0OTYifQ%3D%3D&tsid=7ae4766b-0de5-4865-9f1b-025a45c71c3f&bemobdata=c%3D314f53db-f844-46ea-99f8-f277456639d3..l%3Df57d9a37-1c67-4958-ac52-6f4854ce6840..a%3D2..b%3D1..z%3D0.0016..e%3Dzr4b7f4393675711ecb78f122b3efc6f65f31163358f914cea90c49d2c8cc35b7b0612682b8c773fbcf1..c1%3Dwhiskey-oar-eAcMKVvZ..c2%3Dgriseous-trout..c4%3DDOMAIN..c6%3DNON-ADULT..c8%3D1655308..c9%3Dfbb8c5b0-5140-11ec-a217-0aea8b85a94f..c10%3D0#
I went through and answered the "questions", and it tried to take me to the actual phishing site:

https://i.imgur.com/wYt5WB3.png

https://i.imgur.com/Picaw4a.png

Screenshots of the actual phishing site

https://i.imgur.com/Bh5c2lZ.png

https://i.imgur.com/q7xnSki.png

https://i.imgur.com/GX4hWnQ.png

And its url (non-clickable):

  https://welcome.myonlineeconomy.com/us/238700/25/?pubid=aff-us&pob=3&click_id=61ca28bcf92ca000011aa4c0&subid=RT-60338e1b79fcbe00012195a3-168&utm_medium=mail&utm_term=ipadpro&terms=y&email=&fname=&lname=&fp=&address=&city=&zip=&state=&lpkeyua=a17666fa4eadface9331c0311b1e8875.1640638952

Now, the interesting part is that this phishing attempt only happened once. When I tried to visit again just now, it just says "something went wrong" (on the first site) and "Access denied" (on the second site).

I saved the sites to disk as I went, but I doubt these dumps will tell you much. Just in case though:

1. https://gist.github.com/shawwn/4deace812e7c752949a0df096ef66...

2. https://gist.github.com/shawwn/721f235e760dd2257cd760edb1188...

Long story short: It sounds like all of you got phished. I suspect you installed a malicious app that somehow targeted your web browser's LastPass extension, modifying it to send your master password to these fine people. ¯\_(ツ)_/¯

Hey,

That's quite possible, for sure. I am not beyond/above/below being phished like anyone else, ha!

The issue -- what makes it perplexing -- is that I haven't used this LastPass password since 2017. I know because this LastPass account was only used to share passwords within an org that I left back then.

Is it possible that I was phished 4 years ago, and they sat on the password? Sure.

But 2 other people in this thread being phished from the same exact same phishing server/group?

Or we were separately phished using different techniques, and now one Brazil server attempted to use all of our logins?

That's what's rather strange.

I feel like this sounds more like a zero-day exploit being used to target the LastPass login servers.
Couldn't it just be that someone got a copy of the password some years ago and now sold the list of credentials to someone else, who then tried to use it? Maybe the original owner of the list didn't realize some of the credentials was for LastPass, for example.

I'm still seeing hackers trying to log on using passwords I haven't used in ~10 years, because it's on a list somewhere.

I agree, that could make sense.

So LastPass (their extension) may have been hacked ~5 years ago ish, a few people here on the thread were all hacked in the same way, our passwords were sold off, and now the same Brazil IP range just tried all of those passwords.

Perhaps you can ask the other victims when did they register their accounts to see if that's true?
Hey guys I think that maybe this has to do with an exploit in the web browser LastPass extension about 5 years ago: HN POST: [0].

[0] https://news.ycombinator.com/item?id=12171547

Yeah, that's not impossible. Surprising that they sat on the passwords for so long, but this is quite possible. Thanks for the reference/link!
You don't necessarily know they sat on it. You only just got a notification of the failed login now.

That doesn't mean they didn't try stuffing it elsewhere previously, or have login attempts you weren't notified of.

Nor do you know if the entity responsible for the failed login is the one who originally captured the credentials.

If you'll forgive the wild speculation, your credentials could have been sold recently and the new owners are less picky about alerting victims to the breach.

It could be that a bunch of credentials were captured for a specific purpose. Perhaps it was a targetted attack aiming for a specific victim, you and others here were collateral damage, and now the attacker is selling the assets.

Yeah, totally agreed and all great points.

I also generally am more suspicious of the idea that they sat on the credentials for years. Although that is not impossible.

One disproving fact (of sitting on the password for years) is that a few people here in this thread confirm having a login attempt from the exact same ip range, but with an account that was created this year -- in one case, in November 2021:

https://news.ycombinator.com/item?id=29710262

So... it might turn out to be a much more recent vulnerability after all.

That’s not a phishing site. That’s standard zero-click /smartlink monetization. It’s a lot to explain and I’m on mobile but it isn’t anything to do with phishing.
But, it certainly wasn't from Spectrum (my ISP), but they designed the page to make it look like it was.

I agree that it could be totally unrelated to the root mystery though. But "everyone here fell for malware or got phished" seems like the most likely explanation, even if my answer happens to be otherwise incorrect.

the site is an advertising redirect and these same attackers (or at least users of the same IP ranges) use leaked credentials to login to Microsoft/Outlook accounts using SMTP
Great post, seriously.

How many extensions are you using again? :-)

Hmm. Tabist, Twitch Now, EditThisCookie, TooManyTabs, ublock, adblock, tampermonkey, disable Reddit CSS, FreshStart, Notion, Netflix auto-skip, gist from website, Auto Kill Sticky... and a couple I don’t recognize. I’ll post a full list when I’m back at a laptop.

“Too many” :)

The only ones I have that match up there are EditThisCookie and ublock (origin)

EditThisCookie was last updated November 22, 2020, so it doesn't seem likely from that.

ublock origin was updated December 2, 2021, but they haven't changed devs or anything that would make me suspicious.

I am having the same issue!!! One of my important passwords was leaked and in free use by a bunch of people who were all accessing my evernote account (thankfully it had nothing important in it). I've been on a spree to change my passwords since then.

I have been wondering - is this because of the following lastpass bug?

https://www.zdnet.com/article/lastpass-bug-leaks-credentials...

I just tried logging into my LassPass (not used for a while) and I entered the password wrongly (I capitalised one letter) and got an email "Someone just used your master password to try to log in to your account from a device or location we didn't recognize."

Maybe it says someone used your master password even if they didn't? It gave the IP as Islington which is kind of correct.

I think that password case is a separate issue. If I remember correctly, many online services do "secretly" accept mixed cases for the same password (because users make more mistakes than they realize and it would be "annoying" to be too strict)

If you didn't receive a "Someone just used" email (with an IP that's completely geographically off from where you are) that's a good sign, of course.

I tried pushing back on just such a request once, pointing out it made of of the password "security" requirements pointless (use mixed case letters).

"But famous company X does this, it is really convenient for users!" was all the response I got. All I could do at the time was (internally) shake my head.

Oh! If the messaging is the same regardless of whether the right password is used then that changes everything!
When a wrong password is used, no email is sent out from my multiple experiments today.

I'm happy to be proven wrong, but I think that what's happening with @tim333 is that master passwords may be all lower cased (for example) before being hashed. Or maybe the password is hashed twice with the first letter upper and lower cased.

Here's what I found from a quick google re: password case:

https://www.zdnet.com/article/facebook-passwords-are-not-cas...

https://security.stackexchange.com/questions/68013/facebook-...

"This is simply Facebook trying to provide a better user experience for those users who may have Caps Lock enabled, or whose devices automatically capitalize the first letter of the password."

I don't think that's the case. I went back and looked at the auth logs and there are many "failed logins" and one "Login verification email sent", which is the only one I got an email for.
Master passwords are static passwords by definition. It could have been an old fashioned keylogger for example. It could also be a phishing email attempt.

Disclaimer: I worked on the 2FA part of the saas pass password manager which never has a master password and always uses passwordless MFA like scanning an encrypted barcode for unlocking the browser extension.

Hey, this _just_ happened to me too....my password would be near impossible to guess and is not used elsewhere...

Just deleted my last pass account!

here's the info that came with the email

Time Monday, December 27, 2021 at 1:41 PM EST Location São Paulo, SP 01323, BRAZIL IP address 160.116.88.235

WHAT!! Same IP range for me.

How is this possible????

not sure, but this seems pretty bad! fwiw, i haven't used lastpass in at least a year. i've been using 1password.
How old approximately was your account? I used my master password the last time in 2017... were our master passwords compromised back then... and someone held on to them for that long? That seems improbable?
just checked my email. last pass account was created in 2015, not sure if the current leaked password has been in use that whole time, but it has definitely been quite a few years. moved over to 1passward in march of this year and likely have not used last pass at all since.
That's really so strange.

What is the probability that you, techknight (the other user in this thread) and me used the exact same compromised software back in ~2017 and had our master passwords stolen then? And for that person/bot (in Brazil) to try all of those master passwords now?

It's beginning to look like this is a LastPass issue, no..?

it certainly does look like a lastpass issue....
LastPass was my first thought, but I couldn't find anyone else having the same issue and decided it couldn't possibly be them. Now I'm not sure!

I've emailed you a list of the extensions I use in Chrome - if you want to share publicly any that we have in common I'm okay with that

Hey, thanks -- just replied to your email.

Since I haven't used this LastPass master password since 2017, I'd have to remember which extensions I had back then, which is hard to do...

I may have had 1Password and Adblock Plus which you had/have too.

But it's hard to say. It's a possible vector (that you, dogman123 and I had the same compromised extensions) but also... why would the hackers have sat on our master passwords for nearly 4 years (in my case)?

One other breadcrumb: https://news.ycombinator.com/item?id=29706957

It's looking like you got phished a long time ago, or installed malware which targeted the lastpass extension.

Did all of you use the same OS four years ago? (Windows perhaps?) Some malware targets Chrome/Firefox files on disk. A malicious extension probably wouldn't be able to affect your LastPass extension, but a malicious malware app could easily modify it.

Yeah, all of us being phished years ago is a possibility (I just replied to your other comment)

I used macOS/Chrome back in 2017. I definitely could have been phished then, or used a compromised extension.

How'd they get past the 2FA, though?

Or does LP shoot an email if it detects a suspicious geo-IP login before the 2FA prompt?

LP shoots an email as soon as someone attempts to login with the correct password from a new IP.

Once the IP is approved (you have to follow a link from the email), then you login again with the correct password and then get the 2FA prompt.

What prompted the move to 1password? Curious as I am deciding myself which service to use.
Not OP commenter but I personally would recommend using pass (https://passwordstore.org), I’m a little paranoid about all this fuzz, plus did you see the news in HN a few months ago about a password manager web browser extension having an exploitable vulnerability? Not sure if it was lastpass but I’ll try to search for it…

Edit: I found an old post from about 5 years ago on a vulnerability in LastPass’s extension [0]

[0] https://news.ycombinator.com/item?id=12171547

I was so pissed at LastPass when the Firefox extension stopped working when Firefox Quantum was released, they didn't have an ETA for fixing it, their support is completely crap. I gave up no LastPass with 9 months left on my subscription and moved to 1Password. Also, LastPass UX is still awful to this day (I have to use it for work). Migrating from LastPass to 1Password was like migrating from Linux to Mac. It's more expensive, but it's sooooo much better and polished.
What browser extensions do you have installed?
I don't remember which extensions I had in 2017, unfortunately...
(comment deleted)
Is the date / time exactly the same? It seems like they might have emailed _everyone_ at this point. Maybe it's just a bug.
I have a LastPass account (also not used for some time) and have not received this email.
got one at 1528EST from 23[.]236[.]213[.]5 - OSINT shows it part of BLAZING_SEO_PROXY

pw was only ever used here and stored offline

That's a different IP range, but the fact that it's all happening at once (i.e. these unique, never used elsewhere LastPass master passwords being used to login) is rather strange..?

Or I am drawing a random line through a cloud of dots..? :-)

What other IPs are part of BLAZING_SEO_PROXY?

Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!

Mine was from India, master password definetly unique and very strong. I'm still hoping for some bug that mass alerted every day login attempts instead of actually gaining access.
I'm hoping for an email bug / false positive too.

Also, incorrect login attempts (i.e. using the wrong password) does not send out an email.

If you do attempt to login with the correct master password from a different/new IP, then you'll get the "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email.

Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!

Can you guys list out the browser extensions you are using and/or if you're using LP on mobile?

We need to find a common thread.

Are we sure that same email isn't sent out if someone tries to log into your account with the wrong password?
No email is sent when an attempt was made to login with the wrong password.

Logging in with the wrong password is logged in the Account History as "Failed Login Attempt"

Logging in with the correct password (or hash? TBD) from a new IP triggers the email and that's logged in the Account History as "Login Verification Email Sent"

That IP is not from Brazil. It revert-resolves to keznews.com (Looks like it's registered in Prague)

If you try hitting it, it will redirect you to some website which might or might not be the same to every person

Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!

I feel this is like a Reddit detective moment. Almost everyone here is going to have uBlock Origin installed.
Yeah I agree. And a few users who were compromised confirmed not having uBlock. So yeah. False trail.
Does lastpass have a login history? first thing would be to check if the mail is genuine
Completely agree. I did check and my Account History is showing the same info. I also talked to their support and they confirmed this info.
Where is LastPass's account history?
- Lower left corner: Advanced Options

- In the sidebar that shows up, "View account history" -- it's in the middle of the page vertically

Make sure to use both "Logins" and "Events" when doing searches.

The "Login Verification Email Sent" (i.e. someone attempted to login with the correct master password) show up under Events.

do you have it installed on your smartphone? have you ever entered your master password on your smartphone? what sort of smartphone do you have, does it get security updates regularly, is the manufacturer competent?

same with your desktop. is everything up to date?

I have an iPhone and I do have my keepass file there too. So yes, presumably, the iOS app that I use could have accessed my keepass file and sent it unencrypted over the network to someone (which would be terrible).

Thanks for the comment/reminder! I'll definitely have to re-consider what I do with regards to the keepass file on my phone.

also, just for grins. have you checked to see if the same email is generated in error when a failed login attempt happens from an unknown location?
Yes, good call. And I did just check.

A wrong password = no email.

Correct password from different IP = exact same email saying "Someone just used your master password to try to log in to your account from a device or location we didn't recognize"

That's the exact same email I received earlier with the Brazil IP.

This just happened to me today, but login location was Bangkok. I also haven’t used my lastpass account in almost 2 years since I switched to Bitwarden, so no way this could have stolen from my computer recently
Can you please post more information?

Was this an old LastPass account? You didn't use this master password elsewhere, etc.?

Thanks!

Old LastPass account with a random string as the password, definitely not used anywhere else
And you received the same "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email?

Someone is tracking IP addresses now in the thread -- would you mind sharing what was your attacker's IP?

I too moved to bitwarden a year or so ago. Kept my lastpass account around just in case. This post inspired me to finally delete it for good.
Exact same here. Made the jump around a year ago and this post made me realize the lastpass was still a liability so just deleted it.
Same thing for me, havent used my account for years, has strong password and I just got an email that someone from Paris tried to login but was blocked.
!!! This makes 6 of us in this thread...

It's improbable that we were all phished years ago by the same group...

Was the LastPass extension hacked years ago (as mentioned in https://news.ycombinator.com/item?id=29707325 ) and all of our master passwords were leaked/stolen, and someone just attempted to use them?

Look at the email headers and post them here. Was the email actually from lastpass????!!!
Yes, the same information appears in my Account History and LastPass support confirmed it.

So in this case, it's not a phishing attempt unfortunately.

Do you ever store your LastPass in your clipboard? Malicious apps on some platforms can access your clipboard without your knowledge. Do you use a clipboard manager? Is it trustworthy? Does it store data safely on disk?

Good questions to ask yourself

Good questions for sure!

In my case, the LastPass master password hadn't been used since 2017. It was stored (safely, I presume or at least hope!) in a local encrypted KeePass password manager file.

I definitely could have malware on my computer that sniffed/read the KeePass file while it's temporarily unencrypted (when I open it to get a password).

Not an answer to OP but I had seen that that on HM a while ago : https://www.lesspass.com/ Really liked the idea of not having to rely on a third-party ... But I never used it because of Firefox master password and sync functionality. Too lazy.
I wonder how secure is the Firefox solution vs LastPass and others.
I switched to BitWarden from this, this works well until a site forces you to change your password (or has arbitrary password requirements), then it's basically impossible to do.
I remember reading that LastPass had a breach, some time ago.

I think that LastPass and 1Password are the ultimate targets for hackers.

Wouldn't surprise me if they got in. Hackers ain't Matthew Broderick, anymore.

EDIT: Deleted somewhat cynical editorializing

(comment deleted)
Lastpass has been a pile of hot garbage for a while, so this is somehow not surprising.
People are always saying (smugly) how crucial LastPass is...
Do you mean LastPass specifically or password managers in general?

If the former: I haven't noticed that -- usually folks on HN seem to recommend 1Password or BitWarden.

If the latter: Password managers are important to resist credential stuffing attacks through password reuse.

While I don't like that many of them force you to upload your secrets to the cloud (LastPass, 1Password 8, etc), it's still a better security posture than having your weakest link be every site on which you've used the same password.

The former, and in my day-to-day career.
Reading the comments here there's one possibility that I haven't seen mentioned in that there may be an issue with lastpass allowing some level of access into people's accounts without actually having the password (which wouldn't enable the attacker to access the encrypted data).
let's not make any ridiculous assumptions
I sense sarcasm, but in case my sense is off, there is a webapp which allows you to log into your lastpass account and webapps are known to sometimes have security issues.
Given we’re likely stuck with passwords for the foreseeable future, I’d like to see two things in a password manager (maybe these exist?)

1. “hardware wallet” level security, with good UX. Maybe a USB/Lightning dongle, but I really wish computers/phones had built-in capability to do hardware wallets. Apple TouchBar got close (I realize it wouldn’t considered be a dedicated hardware wallet).

2. a way to automatically roll passwords periodically (with a small amount of user intervention, per requirement #1). This would require either some excellent AI or crowdsourced automations for every website.

Cool, great start, but something Yubikey sized would be more practical.
It can be done with yubikey. Passwords stored encrypted on disk and get decrypted on the yubikey with gpg.

https://github.com/drduh/YubiKey-Guide

https://attackpointsecurity.com/go-pass-yubikey-and-gpg

Isn't a hardware wallet airgapped?

For a cheap alternative you can use an old smartphone, and disable all radios. People will use a Librem 5 in 20 years still for this purpose wink.

> Isn't a hardware wallet airgapped?

No, most of them connect over USB. The important thing is reducing the attack surface to a bare minimum with simple protocols and implementations.

I think at a minimum it would need to emulate a keyboard to type out complex passwords. Ideally it could also receive simple commands from, say, a browser extension to request filling in a specific website.

> “hardware wallet” level security

This is mutually exclusive with passwords:

A hardware wallet never reveals its private key and allows you to review and approve private key operations through a well-defined and hardened interface. Passwords are bearer tokens, and there is no such option.

I use pass[0] against a Yubikey with a touch-policy that requires a touch to decrypt. I use passmenu, which types up the password (using xdotool) so clipboard stealing isn't as easy (probably adds a different attack vector though).

Not as good as webauthn etc, but still better than copy-pasting passwords, or a browser extension that keeps passwords decrypted in memory.

2. a way to automatically roll passwords periodically

Ironically, that’s what LastPass can do for many important sites. Technical details: it opens a site, clicks around its menus and does that for you, and you see all of this automation on your screen. Imagine how many non-2FA users are now experiencing automated password resets on their most valuable accounts.

I’m all for 1, as I take my physical keys with me everywhere, but random ISB solutions out there I don’t really trust any more than e.g. lastpass.

Yeah me too. Same IP range too, but location listed as Toronto. Not that this means anything.
Wait sorry, this might be actually critically important.

When you say same IP range, what do you mean? The IP that the login attempt happened from starts with 160.?

If 4 of us (in this thread) all had quasi-successful login attempts to our accounts, it could mean that some LastPass master passwords have been leaked...?? Or LastPass has been compromised?

Begins with 160.116…
Exactly the same here!!!!

Wow, this is fantastically bad.

The location supplied by the LastPass notification for these login attempt IPs seems off. E.g., just taking some of the IPs most frequently posted here as sources of master password login attempts:

196.19.204.79 Stated location: India WHOIS: Poland Warszawa Unit 117, Seychelles (Legacy) AFRINIC AS202769 COOP, US

160.116.206.37 Stated location: Germany WHOIS: Affiliated Computing Services, South Africa AFRINIC AS262287 Maxihost LTD, BR

168.81.122.153 Stated location: Germany WHOIS: Seychelles AFRINIC 202769 COOP, US

Someone is probably putting bogus information into the routes for these IP ranges. But what do all of these IPs have in common? According to my records, they are all related to a dodgy hosting provider in the Netherlands called Ecatel, now called Qasi Networks or IP Volume. And this is all disputed AFRINIC IP space, as per:

https://krebsonsecurity.com/2019/12/the-great-50m-african-ip...

Also FWIW I too have not used Lastpass for 2-3 years. Login history doesn’t appear to go back that far but I’d estimate it’s at least 2 years since I logged in.
More data (mine as well):

Monday, December 27, 2021 at 12:27 PM EST

Location INDIA

IP address 196.19.204.79