There is apparently a large-scale attack going on against #LastPass accounts, login attempts using the correct master password. LastPass claims it to be credential stuffing, yet people on Hacker News report using unique and strong passwords.
So the question about just how these master passwords leaked remains open. I have at least one suspicion, should really only older accounts be affected. AFAIK LastPass never investigated whether websiteBackgroundScript issue was already actively abused. https://palant.info/2018/07/09/is-your-lastpass-data-really-safe-in-the-encrypted-online-vault/
Some accounts affected are apparently brand-new, so my suspicion doesn’t seem to be it. Others accounts haven’t been used for years. It’s hard to imagine anything other than LastPass itself to be the source of this leak.
A Mastodon instance for info/cyber security-minded people.