LastPass users should change all of their passwords in order to protect themselves.
If you have high value accounts such as your email, financial services, and highly used social media accounts, you should turn on two-factor authentication for them. Even if attackers compromise the passwords for the accounts, they can't actually log in without the one-time code or hardwareAuthentication key you've added as the second factor. Change the passwords for sensitive and high value accounts first. Change all the passwords in your vault.
It's time to switch to a new password manager as you're doing a lot of this. As you change the service, you can add accounts as well. 1Password is one of the alternatives recommended by WIRED. Since the company scaled back its free offerings a couple of years ago, we haven't recommend them.
One senior security engineer, who asked not to be named because of professional relationships with people on the LastPass security team, said that people should switch to other password managers. They failed to provide cloud-based secure credentials storage.
People shouldn't be deterred from using password managers because of the LastPass situation. If you're a loyal LastPass user, you should change your vault password, turn on two factor for every account that offers it, and change all the passwords in your vault even if you don't migrate somewhere else.
Lukasz Olejnik, an independent privacy researcher and consultant, said that the communication strategy of LastPass may undermine user confidence. The timing is the biggest issue. When the initial investigation began months ago, why do it now?
In a series of posts this week, the senior principal engineer of the Yahoo security team wrote that he used to support LastPass. I defended it in the media, but things have changed.