@tlmcca Check out these two threads that are ongoing on the forum.
Also check out SN 904 and SN 905.
@Steve may cover more in the next episode. Don't know about that yet. There might be other threads on the forum you can find with the search engine by searching for lastpass.
I checked my password on the password haystacks page by putting in something with similar structure to the password I had before I found out about the breach, ie same number of upper case, lower case, digits, and symbols. It said a cracking array trying 100 trillion guesses per second would take several billion trillion trillion centuries to crack my password, ON AVERAGE. Since that password has words in it, ie grammatical structure, the haystack page is overly optimistic. Still, I personally am not leaving Lastpass at this time and I'm not changing the passwords on my sites. If the hackers DID crack the blob, they'd get my secret notes and there's nothing I can do about it. I certainly don't like it that my metadata and the blob are in enemy hands, but the whole point of all the encryption is to prevent them from being able to crack it.
I will point out one thing though, somebody just won a billion dollar lottery. That event was highly unlikely. But they did. So, unlikely things CAN happen. But, with my particular password, I think the risk is vanishingly small. Everyone has to make their own decision about what to do with their situation.
@CredulousDane I now have my iteration count over 1 million and I'm using Brave. It may take as much as a minute to decrypt the vault, but it is working.
I don't know what else LP can release after their blog post. I don't think they're publicly going to list which accounts were breached. I'm assuming it applies to all customers. If not, they should email each customer as to their status. As I understand it (and correct me if I'm wrong), an employee was phished (goes to show we're all human), a bunch of metadata and a blob backup was stolen. If you had a weak password and / or excessively low iteration count your data could be at risk. Note that, as I understand it, even with a low iteration count, a good enough password still gives you all the protection you need. The key word being "enough" which is subjective. They say, if you've been abiding by their recommendations, you've got nothing to worry about. Here's a quote from their blog.
Please refer to the latest article for updated information.nbs[..]
blog.lastpass.com
"If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.
However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored."
Hope this is helpful.
May your bits be stable and your interfaces be fast.
Ron