That would truly be the best outcome possible -- that LastPass sent out "Someone just used your master password" emails incorrectly i.e. those were false positives.
They are saying it’s just a credential stuffing attack and being that my master passphrase is only used for LastPass I’m hoping that is all that is going on. Their statement does say “It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed” but I would still like confirmation the emails were sent even on invalid attempts.
But if your master passphrase is only used for LastPass (as is exactly my case -- I've never used it elsewhere), how can it can be credential stuffing? Or was the password breached from LastPass itself in the past? That's possible, but then it doesn't jell with people having this same issue with accounts created in November 2021.
As far as I can tell, the "Someone just used your master password to try to log in to your account from a device or location we didn't recognize" email we all received was only sent when a correct password was used. Incorrect passwords did not trigger that email.
But yes, it would be great to learn that those emails were sent incorrectly i.e. it was a false positive (i.e. someone tried to login with a wrong password, but the email above was sent anyway). It's still not great that the wrong kind of email was sent, but that would be a low level bug.
I was never able to successfully trigger the false positive last night but I believe the most recent explanation from LastPass is in line with what I have been seeing. Intermittent false positive emails.
Yeah, just saw their new announcement (thanks for doing those tests yesterday by the way!)
I don't know how much to read into their use of "some" and "likely" i.e. "some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error"
I would want to know whether they can demonstrate that wrong passwords were used in this attack. And have an explanation for those users who received the email a 2nd time after changing their passwords.
