IMO at this point every LastPass user should:<p>1. Check their password iterations to evaluate how urgent the rest of these steps are: <a href="https://support.lastpass.com/help/how-do-i-change-my-password-iterations-for-lastpass" rel="nofollow">https://support.lastpass.com/help/how-do-i-change-my-passwor...</a><p>2. If iterations are 100100 and your password is not a dictionary word (or quite short) you are <i>probably</i> ok but...<p>3. I'd still identify any high value passwords like email, financial, cryptocurrency, etc. and rotate them.<p>I am guessing the iterations are stored in the vault so would point out the low hanging fruit to the hackers.<p>All the other things LP is doing doesn't really matter since the customer vaults are already exfiltrated and do not use any sort of MFA offline.
"may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings"<p>What does MFA settings mean in this context?
Does enabling MFA protect users from these type of attacks?
Is MFA used as a part of the encryption key used to protect data?