Dang, do I need to drop LastPass now?
^^^ YES.
LastPass had a breakin, where a backup copy of some unknown segment of their master archive was stolen. Each customer's data is still encrypted with that person's master password, but:
- Only user names and passwords and the content of secure notes were encrypted. URLs, comments in regular password entries, etc are in clear text.
- The attackers have that backup copy now, and they can just keep trying every possible password on every customer's data, forever, until they get into some of them. The stronger your master password was, the more likely it is that that'll take a long time, but when they do, they'll have complete access to everything in your vault, as of whenever that backup was made.
- Nothing you do in LastPass now can prevent that, the attackers already have that backup. Your only real defense is to change every important password you had in there, now, making the attacker's backup copy irrelevant.
- LastPass never should have let anything like this happen, and they should have been more forthcoming about it when it did. They don't deserve your business, and you need better protection than I'd trust that company to deliver.
This isn't hyperbole, the story has been all over every major news outlet, Wikipedia, etc.