What happens when a service designed to keep your passwords safe gets hacked itself?

Password-management service LastPass announced today that it “discovered and blocked suspicious activity” on its network on Friday that caused user email addresses, authentication hashes, password reminders and server per user salts to be compromised.

While the news suggests that some user’s email addresses may now be known to criminals and that hackers may now have useful hints to passwords for other sites you may be using, LastPass says that there is no evidence that any data from any user’s vault was taken; or that any accounts were logged into illegitimately before the hack was detected. This means that any of the passwords actually stored on the server have not fallen into the wrong hands, so there should be no need to reset passwords for every site you stored data for. LastPass is confident that its encryption is strong enough to make attacking those stolen hashes with any speed difficult.

Nevertheless, when it comes to LastPass itself, it is highly recommended you change your Master Password right now to ensure those vaults can’t potentially be accessed later. Although the company’s official recommendation is that you only need to change your master password if it’s weak or use that password on multiple sites, in any case of hacking, being paranoid is often the best approach. The company also recommends that users who don’t have two-factor authentication enabled on their accounts do so now, which sounds like sound advice.