Calm down.
It is not the first time it has happened to Lastpass, and it will happen again. Just like any other service anywhere in the world will experience attacks – even successful ones – at some point in time. With the amount of evidence provided by LastPass in their post, including actions already taken by them, now is the time for users to change their master passwords. For context, 493 days had passed since the last change, which is a reasonable & acceptable change frequency for a master password.
Using a cloud-based password manager. Seriously?
Yes, seriously. Other password managers let users sync a password datafile using 1 or more “cloud” services. Some only have a local database, leaving it to the user to make backups and never lose devices to fire, theft or kids that play tennis with them. Discussing “cloud services”, where users in reality just use somebody else’s computers, has long been close to religious discussions. It seems impossible to talk reasonably about it with some people. For most people it is “safe enough”, especially for those who have at least a basic understanding of what they are doing.
NSA, KGB & China (whatever their intelligence services are named) are not the enemy
Let’s be real. Most people are not of interest to any of those services, period. No, not even l33t h4x0rs speaking at Blackhat or Defcon or whatever. If they were, they really should get off the Internet. Anyone who does happen to be of (serious) interest to them has probably been told not to keep national/military secrets anywhere online, including passwords used to access such information. (In many jurisdictions that would be in violation of the law.)
Change all passwords at all sites – NOW!
Not so fast. For someone with 400+ sites stored in a LastPass database, that would take not hours, but days to complete. There is sufficient information to justify a change of master password for a LastPass account. For users who have previously configured 2FA support, geolocation-based login limitations, customized (increased) PBKDF2 parameters and other settings, and who change their master password now, a reasonable risk analysis says everything is fine. For now. Time will tell if that assessment was wrong, and that could potentially be the time to call insurance companies, banks and a few others to effectively reduce residual risk to an acceptable level. Bonus surprise: risk cannot be eliminated. That local-only heavily encrypted password database file stored offline on an FDE LUKS volume? A baseball bat to the knees will extract the password faster than even the biggest GPU cluster Jeremi Gosney at Sagitta Systems dreams of ever building.
Change the master password.
Activate Multifactor authentication options. Set geolocation login restrictions, check trusted devices and increase PBKDF2 settings. But please, be reasonable. FUD doesn’t help anyone. If LastPass follows the pattern from previous incidents, they will be open, honest and quick to provide users with reliable information. They’ve done it before, and there is good reason to be confident they will do it again.
At the end of the day, users can rest easy knowing they are primarily protected by the very best thing there is: a long, strong and easily memorable passphrase.