LastPass owner GoTo shares more bad news about November’s security breach

I left LastPass years ago but have no idea whether my info might still be in this breach. At this point I’m almost afraid to ask.

IMO at this point every LastPass user should:<p>1. Check their password iterations to evaluate how urgent the rest of these steps are: <a href="https:&#x2F;&#x2F;support.lastpass.com&#x2F;help&#x2F;how-do-i-change-my-password-iterations-for-lastpass" rel="nofollow">https:&#x2F;&#x2F;support.lastpass.com&#x2F;help&#x2F;how-do-i-change-my-passwor...</a><p>2. If iterations are 100100 and your password is not a dictionary word (or quite short) you are <i>probably</i> ok but...<p>3. I&#x27;d still identify any high value passwords like email, financial, cryptocurrency, etc. and rotate them.<p>I am guessing the iterations are stored in the vault so would point out the low hanging fruit to the hackers.<p>All the other things LP is doing doesn&#x27;t really matter since the customer vaults are already exfiltrated and do not use any sort of MFA offline.

&quot;may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings&quot;<p>What does MFA settings mean in this context? Does enabling MFA protect users from these type of attacks? Is MFA used as a part of the encryption key used to protect data?