Password-management service LastPass announced today that it "discovered and blocked suspicious activity" on its network on Friday. While the company says that there is no evidence that user vault data (a user's stored passwords) was taken or that accounts were accessed, it did acknowledge that user email addresses, authentication hashes, password reminders and server per user salts were compromised. LastPass is confident that its encryption is strong enough to make attacking those stolen hashes with any speed difficult. But yeah, if you're a LastPass customer you should change your password. Even though LastPass recommends you change your password if you have a weak master password or use that password on multiple sites, you really should change your master password -- and switch on multifactor authentication -- just in case.
Dear LastPass User,
We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.
We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.
We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.
The LastPass Team