We know the machines involved have the users' encrypted blob data as well as the data for their usernames, their password hashes, and the salt for those hashes. Because of that and the size of the data, we don't think more than a couple hundred blobs could have been taken.
We're trying to look at what is the worst possible case and how we can mitigate any risks coming out of that. Could this be just some kind of weird glitch? It could. But we haven't had any of those before, and we've been watching this a long time.
We're talking about blobs, hashes, and salts--a lot of phrases folks aren't used to hearing. What does all of this mean in terms of what was actually in that data and what someone could glean from it?
You can combine the user's e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. When you do all of that, what you're potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website.
The threat is that once somebody has that process down, they can start running it relatively quickly, checking thousands of possible passwords per second. If you made a strong master password, you are pretty much in the clear--it's not really an attackable thing. But if you used a dictionary word, that is within the realm of someone cracking it in a reasonable time frame.
[Author's note: The master password is the password used to protect a user's LastPass account. With it, you would be able to sign into the account and then directly access all the passwords that user has stored on LastPass's servers.]
PCW: So, to set the record straight: Is there any chance whatsoever that passwords users stored in their LastPass accounts could now be compromised?
Siegrist: We don't think there's much of any chance of that at this stage. If there was, it would be on the orders of tens of users out of millions that could be in that scenario, just because of the amount of data that we saw moved. But it's hard for us to be 100% definitive without knowing everything.
That said, the chances that one of those, say, hundred accounts had a weak master password is relatively low.
PCW: If someone had what you'd consider a strong master password, then, would they have any reason to be worried at this point?
Siegrist: No. None.
PCW: What steps are you recommending users take now?