There are a number of password protector/encryptor services out there that are intended to protect the user from being hacked. Well what happens when the password protector service itself gets attacked? Hopefully nothing.
Here’s an email that LastPass sent out to its customers tonight:
Dear LastPass User,
We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.
We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.
We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.
The LastPass Team
According to this email, email addresses and password reminders were compromised, but encrypted user vault data (hopefully) wasn’t. So, if you are a LastPass user, expect to be asked for verification and to update your master passwords.