There is apparently a large-scale attack going on against #LastPass accounts, login attempts using the correct master password. LastPass claims it to be credential stuffing, yet people on Hacker News report using unique and strong passwords.
So the question about just how these master passwords leaked remains open. I have at least one suspicion, should really only older accounts be affected. AFAIK LastPass never investigated whether websiteBackgroundScript issue was already actively abused. https://palant.info/2018/07/09/is-your-lastpass-data-really-safe-in-the-encrypted-online-vault/
The weird part: attackers must have gotten their hands on unencrypted passwords somewhere. They definitely weren’t reversing 100,000 rounds of PBKDF2 for this large-scale attack.
Maybe LastPass somehow logged the unencrypted password when people logged in via the web interface?
A Mastodon instance for info/cyber security-minded people.