Siegrist: If you used a strong master password, even if anything had been taken, there shouldn't be any cause for concern. If you used a weak master password, there might be a little more risk, but it's kind of a one in a million kind of a risk based on the total amount of data that was transferred. If you used a weak master password, it's probably wise now to replace it with a strong one and look at your most critical sites--your banking, your e-mail--and think about changing those.
[Author's note: LastPass is also requiring some users to change their master passwords with the service as a precaution.]
PCW: Some users have said they've been locked out of their accounts, or that their stored passwords are missing when they sign in. What's going on in those instances and what do you suggest people do?
Siegrist: What we think is essentially that they're using a new password but that there's old data on their computer from before the password change. What we're suggesting is that people re-login or clear their local cache, which can be done in the LastPass plugin. They can also always contact us and we can help them out.
PCW: Tell me about what steps LastPass is taking to further bolster security in light of all of this.
Siegrist: When signing in, we're forcing every user to prove to us that they're coming from an IP that we've seen them come from before, or prove that they still have access to their e-mail. We think by taking those steps, we're locking down any chance that somebody that guessed one of the master passwords would have any shot of getting in.
In retrospect, we probably overthought this a bit and we're maybe too alarmist ourselves. The real message needs to be that if you have a strong master password, nothing that could have been done would have exposed your data. The only thing we're worried about is people that have weak ones. That's why we're making all these moves.
A lot of the services on the servers that were involved have also been locked down as a precaution, and we're still investigating on that end as well. We haven't found anything unusual yet, but we're still looking at it.
[Author's note: LastPass has also now said it's rolling out stronger encryption standards on its data. Full technical details are available at the company's blog.]
PCW: What would you say to someone who's seen some of today's coverage and is feeling apprehensive about continuing to store their passwords with LastPass?