undefined | Better HN

0 pointsgregsadetsky4y ago0 comments

That's an interesting new avenue -- that older passwords are/were recognized too.

I just tried my old password and the error message only says to check the password -- there are no emails sent saying that someone attempted to log into my account with my password.

LastPass did change their systems, supposedly correcting for the issue that we all saw. So the test I just did also isn't really indicative of how their systems were working 2 days ago.

There are still remaining questions:

- the use of "some" and "likely" in LastPass' new announcement -- https://www.bleepingcomputer.com/news/security/lastpass-user...

- an explanation on how the false positives happened. What made the system think those attempts were using the correct master passwords?

- an assurance that no correct master passwords were used during the attack -- that they were all false positives (i.e. this attack was strictly credentials stuffing i.e. someone tried a bunch of passwords they obtained from other sources)

- finally, an explanation for the 3 independent cases where people changed their passwords and then received an email again saying someone had attempted to login using their passwords. Those emails may have been false positives as well, but we would have to know.

0 comments

Schiendelman4y ago

Great point that we have no idea how to verify anything now since they changed their systems.

I switched to using icloud keychain a while back, after a breach LastPass had a few years ago.

j / k navigate · click thread line to collapse