Lastpass got hacked.

1. Calm down.
   It is not the first time it happens to Lastpass, and it will happen again. Just like any other service anywhere in the world will experience attacks – even successful ones – at some point in time. With the amount of evidence provided by LastPass in their post, including actions already taken by them, now is the time to change your master password. It was 493 days since I last changed mine, which is a reasonable & acceptable change frequency for my master password.
2. You are using a cloud-based password manager. Seriously?
   Yes, seriously. Other password managers lets you sync a password datafile using 1 or more “cloud” services. Some only has a local database, leaving it to you to make backups and never loose your devices to fire, theft or kids that plays tennis with them. Discussing “cloud services”, where you in reality just use somebody else’s computers, has long been close to religious discussions. It seems impossible to talk reasonably about it with some people. For most people it is “safe enough”, especially if you do have at least a basic understanding of what you are doing. I do.
3. NSA, KGB & China (whatever their intelligence services are named) are not your enemy
   Get real. Most of us are not of interest to any of those services, period. No, not even if you are a l33t h4x0r, speaking at Blackhat or Defcon or whatever. If you were, you really should get off the Internet. If you do happen to be of (serious) interest to them, you have probably been told not to keep national/military secrets anywhere online, including your passwords used to access such information. (Where I live that would be in violation with our laws.)
4. Change all your passwords at all sites – NOW!
   Hell no, I won’t. It would take me not hours, but days to complete. I’ve got some 400+ sites stored in my Lastpass database now. There is sufficient information to justify a change of master password for my LastPass account. As I have previously configured 2FA support, geolocation-based login limitations, customized (increased) PBKDF2 parameters and other settings, and now changing my master password, my own risk analysis says everything is fine. For now. Time will show if I was wrong, and that could potentially be the time where I will call my insurance company, my bank and a few others to effectively reduce residual risk to what I believe is an acceptable level. Bonus surprise: you cannot eliminate risk. That local-only heavily encrypted password database file you got stored offline on an FDE LUKS volume? A baseball bat to your knees will get me the password faster than even the biggest GPU cluster Jeremi Gosney at Sagitta Systems dreams of ever building.
   ——————————————————-
5. Change your master password.
   Activate Multifactor authentication options. Set geolocation login restrictions, check your trusted devices and increase your PBKDF2 settings. But please, be reasonable. FUD doesn’t help anyone. If LastPass did as they’ve done earlier, they will be open, honest and quick to provide us with reliable information. They’ve done it before, and I am confident they will do it again.

Time to sleep, and I’m sure I’ll sleep well, primarily protected by the very best thing there is: a long, strong and to me an easily memorable passphrase.