One other thing to note is that by default lastpass allows reverting to your previous password for 30(?) days. The option is in account settings -> advanced -> "Allow master password changes to be reverted".

To be safe you would probably want to disable that then change your password again. Just don't lose your new password as you then can't revert.

See https://support.logmeininc.com/lastpass/help/recover-your-lo...

I last changed my master password in 2019, and it gave me the option to revert to previous password. So it's not just a 30 day thing.

That is concerning and directly contradicts the docs:

"You can revert to your previous master password only if the change had taken place within the last 30 days."

I guess it is possible it is another UX issue and would fail if you tried, but that still isn't very reassuring.

You received a "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email?

And your master password was secure/not used anywhere else, etc.?

Did we all (that's 8 of us now in the thread) get compromised a few years ago (using the LastPass extension?) and someone just mass attempted to try all of those passwords..?

Edit: since you're tracking IPs found in this thread (thanks!) my attacker's was 160.116.189.21 . You also have 1 ip duplicated (160.116.88.235) which was from the same user both times. You can also add 160.116.95.249 which was just posted

"Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look."

Could be... I haven't rotated my password in a while. Could you link me to more info about the LastPass compromise that you mentioned?

p.s. My master password is definitely not dictionary material, and it's not used anywhere else, so I am 100% sure it's not a bruteforce / phishing attempt.

That's so extremely bad and really cannot be a coincidence at this point. We were all owned in the same way years ago...?

The compromise was mentioned here: https://news.ycombinator.com/item?id=29707325

So they had waited all these years, before they act on those Password? Seems like there should be some other explanation.

All of this IP space is cybercrime-related.

Most of it was initially obtained via fraud/corruption from AFRINIC and being currently announced by AS202425 (Ecatel, notorious crime host). Whoever is using it is up to no good.

The rest is owned and announced by ColoCrossing which could be considered a legit ISP by some metrics, but also has an extensive history of hosting lots of shady stuff.

- Disable Lastpass MFA and use Google Authenticator (Authy)

could you please explain this point? Isn't LastPass Authenticator equivalent to Google Authenticator, Authy or any other TOTP app? Or is there something that makes it less secure than other apps? Perhaps because it has cloud backups?

Honestly after the scare it just seemed stupid that I chose LastPass' own MFA for my LastPass account. Also if they really did get exploited, no idea what it means for their MFA solution.

When you do authy (or google auth) it will generate a new set of keys for you and shutdown any old ones associated with the lastpass stuff thus making the old keys useless. Also obviously he should change his master password to a new one.

> When you do authy (or google auth) it will generate a new set of keys for you and shutdown any old ones

wouldn't it be the same if you were going the other way around? E.g. switching from Authy to Lastpass Authenticator

Lastpass MFA is not at all like Google Authenticator. The codes in Lastpass Authenticator are optional and can be bypassed. It's not secure at all.

> are optional and can be bypassed.

How so? Are you saying that if I sign up for example to Dropbox and use Lastpass Authenticator for the 2FA, there is a way for me to log into Dropbox without retrieving the code from LastPass Authenticator? How would that work?

This is my worst nightmare and I wonder what the order of operations is in terms of downloading and unlocking a vault. This sounds like you need the master password to download and unlock the vault, so that’s a tiny bit of extra protection I guess (not much).

I wonder if password managers should be designed around, and encourage the use of, an undocumented PIN that’s appended to every stored password. You could use the same PIN for everything and if someone got your vault decrypted there would at least be a chance they didn’t get the secondary PIN too.

Can't use the same PIN as a hacker would just add myhackurl.com/login to your vault and see what the PIN came across as. I think you'd also run into issues with password length as a lot of sites still have a restriction. I like the idea though and maybe a different implementation could work.

I mean a PIN that's not stored in the vault or auto-filled. It would be something extra that you add manually after the password manager fills in the password

So the password manager would put in 'password' and I'd manually type '1234' to make it 'password1234'.

That would not have stopped the vulnerability 'LastPass bug leaks credentials from previous site' (see Zdnet article posted elsewhere) though that's not a common vulnerability in software.

Isn't that what 2FA is for? An additional "PIN" that changes every couple of seconds.

Also, do not store your 2FA reset codes in the same account as your passwords.

Hey, could you please confirm whether you have uBlock origin installed in the following thread? https://news.ycombinator.com/item?id=29719033

It's not the most scientifically accurate method, but a few people and I are trying to rule out / determine which software in common all of us might have. Thanks!

For me it happened a couple weeks earlier:

> Time Tuesday, December 7, 2021 at 11:12 AM EST

> Location Ottawa, KS 66067, UNITED STATES

> IP address 208.114.93.34

adding 160.116.250.63 for the login attempt on my account