1. If LastPass has been compromised, the scale of these attack would have been tens of thousands times higher. But it isn't. And I think it is reasonable to trust and assume Lastpass does not hold the masterpassword, as they have stated.
2. If it was browser extension, and clipboard sniffing, the scale would have been higher as well. But it is important to note there are many reports of those password have not been used for 3-4 years. They would have sat on a drove of password and decide today is the day. And yet report of these attacks, while scary, are still very very limited.
3. It is hard make a guess without everyone posting their OS, Computer, Browser, extensions, list of software, and even Router, Location, Network ( MITM ? ) etc.
4. We have tested the theory of Lastpass triggering the wrong email notification even with wrong password. So far doesn't seems to be the case here.
5. Nearly all reported cases are unique passwords. ( A few didn't specify )
6. There was a case where the whole Lastpass App and passcode was stored on an old laptop which hasn't been used for a long long time.
7. And yet there are also cases where account was only created in October / November this year. Meaning this activity is fairly recent. ( Doesn't rule out they could be two independent leaks or attack )
8. I was expecting someone working in InforSec would jump in, but I guess they are all on holiday at the moment.
9. This happened just after LogMeIn announced they will spin off Lastpass. I am thinking of the incident with Ubnt where the actual problem was internal, an employees hacking their own companies for bitcoin or something. Still I dont know how any Lastpass staff, without storing any Masterpassword could have gained access to it.
10. For now this doesn't seem like a coordinated PR attack on LastPass. If it was, seriously guys you need to do a better job with Social Media marketing. :P
Anyway It is an interesting thread to watch.
