LastPass is a service for users that is free and adds a browser extension that is supposed to remember all the passwords a user has for various passwords on websites and other things online. The LastPass company has announced that the service was apparently hacked by outside sources and that an unspecified amount of data was transferred away from the servers.
According to the company, the amount of data transferred was enough that it could contain “the server salt and their salted password hashes.” Salted apparently means the plaintext encrypted passwords that still need to be unencrypted using brute force methods were taken. The company feels that those that have non-dictionary based passwords will have no issues. LastPass is recommending that all users change their master passwords. Changing those master passwords has become an issue for some people though according to the comments on the official LastPass blog posting about the hack.
People are having trouble getting LastPass to prompt them to enter a new password or send them the link to get a new password via email. To make matters worse if they used LastPass to manage their email password, they are truly out of luck. LastPass has also added another layer of security to thwart the use of any stolen information; users have to access the service from an IP that they have used before. The rub here is if you happen to be on an ISP with dynamic IP address and the IP changes, no joy for the user.