Just before the weekend, LastPass came across some suspicious activity on its network. It closed off the security breach, but only after the bad guys had made off with some personal information. The incident serves as a reminder of the risks inherent with trusting a company and web service with your security.
The team found no evidence that any encrypted vault data was taken. This means you shouldn't have to change passwords on sites that you've stored in your LastPass account.
That said, some email addresses, password reminders, authentication hashes, and server per user salts were compromised. As a result, LastPass is prompting everyone to update their master passwords (and you should go change your password if you've reused it on any other sites). The company is also requiring all users who log in from a new device or IP address to first verify their accounts unless they have turned on multifactor authentication.
All users should receive an email providing additional details.
- LastPass blog