New ask Hacker News story: Ask HN: How did my LastPass master password get leaked?

Ask HN: How did my LastPass master password get leaked?
45 by gregsadetsky | 39 comments on Hacker News.
Hi, I've just had a bizarre thing happen and wanted to see if the HN community could come up with some theories as to what happened. LastPass blocked a login attempt from Brazil (it wasn't me). According to an email I received from LastPass, this login was using the LastPass account's master password. The email doesn't look like it's a phishing attempt. What troubles me is that the master password was stored in a local encrypted KeePassX file. I can imagine that someone has my KeePassX file and the (completely different) password to this file. If that's the case, I'm in a world of hurt. But are there any other possibilities? Is the email from LastPass accurate i.e. was the login attempt actually using my master password? Is there some LastPass extension installed on some computer still having a valid auth token allowing them to login as me to LastPass..? I'm really confused, and scared. Thanks for your help. P.S. The LastPass account had 2FA set up, but I was able to simply remove it (since I didn't have access to the token anymore). That's scary too -- what's the point of a 2FA you can remove...??

Comments