JCD, I think that may well be the explanation, as the reports did not have the hallmark of hacking everyone’s master password. That said, a lot of the web speculation around it does perhaps point to ways in which focussed attacks on an individual’s master password MAY be possible. Comfortingly such attacks usually require pwning the actual PC so they will only be of real value for long term attacks on the individual by a Nation State or criminal enterprise.
All that said, the LastPass article had some useful general advice at the end. The only bit I thought needed a bit of explanation is their so-called ‘Dark Web’ monitoring. It struck me that this was just their fancy way of using https://haveibeenpwned.com/ , use of which does need a bit of tuition. For example I know that my email address has been previously pwned a specific number of times due to failures by companies (such as Malwarebytes) not taking sufficient care to secure their databases. However each of these has emailed me concerning their failure, and I also know that I had used a throwaway password with them. HaveIbeenPwned shows that there have been no successful ‘paste-ins’ of these passwords – showing that there were actually unique. I’ll now only get very concerned if I learn that a new attack on a financially important company such as PayPal etc has leaked my current password!
I’ll get a bit concerned/annoyed if the number of companies leaking my email increases and I have not already been informed by the company concerned. If that ever happens, I will be sending a zinger, complaining about them to the UK’s Information Commissioners Office!
.
