[bombcar]

Even if you change all your pssswords NOW you’ve still had the metadata of where you have accounts leaked.

[ShredKazoo]

In principle, your passwords might be stored as a JSON blob encrypted using a key derived from your master password. In which case that metadata could still be secure. I doubt it though.

[lolinder]

LastPass already admitted that the metadata was all leaked. Usernames and passwords were encrypted, but all else seems to have been in the clear.

[ThunderSizzle]

Based on what happened to my wife, if the password was encrypted, breaking it was trivial

[lolinder]

She probably had an account that had a very low number of iterations. LastPass never updated those unless someone knew to do it manually, so if it was an old account she likely had 5,000 iterations out of the recommended minimum of 100,000.

[ThunderSizzle]

It wasn't an old account. It was made within a year of the breach.

[william_T]

just checked, mine is 5,000

[lolinder]

Yep. And the sucky thing is that the only recourse at this point is to reset all your passwords, because what was leaked was the low-iteration vault. Changing it now only saves you for future leaks.