There is apparently a large-scale attack going on against accounts, login attempts using the correct master password. LastPass claims it to be credential stuffing, yet people on Hacker News report using unique and strong passwords.


So the question about just how these master passwords leaked remains open. I have at least one suspicion, should really only older accounts be affected. AFAIK LastPass never investigated whether websiteBackgroundScript issue was already actively abused.

· · Web · 1 · 0 · 0

People on Hacker News are comparing lists of browser extensions, but I’d consider this an unlikely source. If a malicious or vulnerable browser extension compromised your LastPass master password, the attackers don’t need LastPass to get the rest of your passwords.

Some accounts affected are apparently brand-new, so my suspicion doesn’t seem to be it. Others accounts haven’t been used for years. It’s hard to imagine anything other than LastPass itself to be the source of this leak.

The weird part: attackers must have gotten their hands on unencrypted passwords somewhere. They definitely weren’t reversing 100,000 rounds of PBKDF2 for this large-scale attack.

Maybe LastPass somehow logged the unencrypted password when people logged in via the web interface?

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.