Though LastPass claims that the vault storing user passwords was not accessed, the company is warning users to change their master passwords. Last week the company detected some suspicious activity on the network, and was able to quickly block it. While they claim that no data was taken, and no accounts were accessed, the investigation did reveal some stuff was compromised. LastPass account email addresses, password reminders, server per user salts and authentication hashes fell victim to the attack.
The folks at LastPass are taking the security of everyone's account very seriously. From the company's blog post:
Nonetheless, we are taking additional measures to ensure that your data remains secure, and users will be notified via email. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
LastPass is urging users who have a weak master password, or if you've reused your master password on another site, to change it immediately. Also, as with many other services, the company strongly recommends that users enable multifactor authentication for an added layer of security.
Source: LastPass
