LastPass, one of the best password managers out there, has been hacked. We urge all our readers who use LastPass to immediately change their master passwords.
[UPDATE] LastPass servers will be down for some, as they are getting bombed by users. Keep trying!
In a blog post, LastPass details how it detected an intrusion on their network. While encrypted user data was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. This means your private password collection is still safe but your master password may have been compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. We recommend enabling multifactor authentication for added protection for your LastPass account. LastPass is also sending out emails to all users informing about this breach and urging them to take precautionary measures.