Sergiu Gatlan reports:
Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.
The email notifications also mention that the login attempts have been blocked because they were made from unfamiliar locations worldwide.
If you are a LastPass user, you should definitely read more at BleepingComputer, as some users who used unique master passwords report getting attempted logins, and some users who reset passwords reported that they almost immediately got notified of new attempts to login using the new password.
Updated 12/29: LastPass has updated their notice and findings. At the present time, they continue to say that there appeared to be a credential stuffing attack, but that their defenses worked. A credential stuffing attack means that the attack was not a failure of LastPass’s security but rather that attackers attempted to use login credentials found in other breaches, hoping that LastPass users had reused their master password elsewhere. LastPass’s further investigation also found that some of the alerts sent to users were in error. Read their notice here.