I’m a happy Lastpass user, and this doesn’t change that, though I did change my password just in case. Regarding their password storage, Ars interestingly notes that:
He paid particular attention to the 100,000-round hashing routine, which he said was among the strongest he has ever seen. Gosney, a password security expert at Stricture Group, wrote: … On an NVIDIA GTX Titan X, which is currently the fastest GPU for password cracking, an attacker would only be able to make fewer than 10 guesses per second for a single password hash. That is proper slow!
The post was later updated to say “10,000 guesses per second“, which according to the article is still very slow.
Post updated to correct Jeremi Gosney’s math in the last paragraph. Gosney previously said an attacker with an Nvidia GTX Titan X would be able to make only 10 guesses per second. He later discovered an error in his calculations and concluded that the correct number of guesses per second was 10,000. He said 10,000 guesses per second remains extremely slow, and he stands by the rest of what he had to say.
I’m also a happy LastPass user, and this didn’t change that for me either. That said, I am a two-factor LastPass user (I love my YubiKey /w NFC and use it everywhere I can), I would be more nervous if I didn’t use two-factor.
I hope they release some more technical details.