just checked my email. last pass account was created in 2015, not sure if the current leaked password has been in use that whole time, but it has definitely been quite a few years. moved over to 1passward in march of this year and likely have not used last pass at all since.

That's really so strange.

What is the probability that you, techknight (the other user in this thread) and me used the exact same compromised software back in ~2017 and had our master passwords stolen then? And for that person/bot (in Brazil) to try all of those master passwords now?

It's beginning to look like this is a LastPass issue, no..?

LastPass was my first thought, but I couldn't find anyone else having the same issue and decided it couldn't possibly be them. Now I'm not sure!

I've emailed you a list of the extensions I use in Chrome - if you want to share publicly any that we have in common I'm okay with that

Hey, thanks -- just replied to your email.

Since I haven't used this LastPass master password since 2017, I'd have to remember which extensions I had back then, which is hard to do...

I may have had 1Password and Adblock Plus which you had/have too.

But it's hard to say. It's a possible vector (that you, dogman123 and I had the same compromised extensions) but also... why would the hackers have sat on our master passwords for nearly 4 years (in my case)?

One other breadcrumb: https://news.ycombinator.com/item?id=29706957

It's looking like you got phished a long time ago, or installed malware which targeted the lastpass extension.

Did all of you use the same OS four years ago? (Windows perhaps?) Some malware targets Chrome/Firefox files on disk. A malicious extension probably wouldn't be able to affect your LastPass extension, but a malicious malware app could easily modify it.

Yeah, all of us being phished years ago is a possibility (I just replied to your other comment)

I used macOS/Chrome back in 2017. I definitely could have been phished then, or used a compromised extension.

How'd they get past the 2FA, though?

Or does LP shoot an email if it detects a suspicious geo-IP login before the 2FA prompt?

LP shoots an email as soon as someone attempts to login with the correct password from a new IP.

Once the IP is approved (you have to follow a link from the email), then you login again with the correct password and then get the 2FA prompt.

it certainly does look like a lastpass issue....

What prompted the move to 1password? Curious as I am deciding myself which service to use.

Not OP commenter but I personally would recommend using pass (https://passwordstore.org), I’m a little paranoid about all this fuzz, plus did you see the news in HN a few months ago about a password manager web browser extension having an exploitable vulnerability? Not sure if it was lastpass but I’ll try to search for it…

Edit: I found an old post from about 5 years ago on a vulnerability in LastPass’s extension [0]

[0] https://news.ycombinator.com/item?id=12171547

I was so pissed at LastPass when the Firefox extension stopped working when Firefox Quantum was released, they didn't have an ETA for fixing it, their support is completely crap. I gave up no LastPass with 9 months left on my subscription and moved to 1Password. Also, LastPass UX is still awful to this day (I have to use it for work). Migrating from LastPass to 1Password was like migrating from Linux to Mac. It's more expensive, but it's sooooo much better and polished.

What browser extensions do you have installed?

I don't remember which extensions I had in 2017, unfortunately...