> We recently received reports of an uptick of users receiving blocked access emails.
This is abrogating responsibility for what happened. A better sentence would be: "We recently started receiving reports of users receiving blocked access emails in error."
> Our investigation found that some of these security alerts, which were sent to a limited subset of LastPass users
"Some of these" "limited subset", you're trying to minimize the issue and not sounding like you really understand what went wrong! Stop.
Better: "Our investigation found that these security alerts, which were sent to 7% of users, "
> were likely triggered in error.
LIKELY, LIKELY??
Do I need to explain that "likely triggered in error" could just as easily be translated as "we don't know what's going on but we sure hope nothing bad happened"
Better: "We identified that in edge cases where two users had usernames where one was a fully contained subset of another (e.g. bob fits inside johnbobpierson) we would inadvertently send account alerts to both users when the user bob had a failed login attempt to their account."
> As a result, we have adjusted our security alert systems and this issue has since been resolved.
"adjusted our security alert systems" seriously just makes this all sound like "we were sending alerts when someone tried to login to your account more than 5 times per hour, we raised it to 50 times per hour so yall would shut up"
Better: "We corrected the identified bug and have checked our code base to ensure that the same error pattern is not repeated anywhere else in the code. We fired the the security firm doing code audits and the CEO is looking for a pen to sign a contract with a new one"
Ok I got a bit tongue in cheek in the end, but, seriously this statement does not make me feel like they are "taking it seriously" and a post from a password manager which you are trusting with your life with must scream that at you.
