By adding a unique element, or salt, to each user password, database administrators can especially complicate things for attackers who now must rely on automated tools to crack user passwords.

LastPass recommended users who log in from a new device or IP address and have not activated multifactor authentication should verify accounts by email. LastPass also plans to prompt all of its users to update their master passwords.

“LastPass and similar credential manager companies will always be a hot target for hackers, since they store username passwords for many other sites,” Ondrej Krehel, founder/principal of cybersecurity intelligence firm LIFARS stated. “Compromising platforms such as LastPass literally opens the door to essentially everything for that individual or enterprise.”

Krehal added, “The main concern is about when the systems were actually breached. The breach could have occurred a long time ago and LastPass is only discovering it now. It's possible that the hackers were already able to get access to user vaults.”

Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based Knowbe4, who regularly speaks about security risks, explained that the attackers did not steal LastPass users' master passwords.

“However, they did get hold of the hashes [long strings of characters or checksums] which are used by LastPass to verify that a master password is correct when the service is accessed,” he said.

Sjouwerman said one major relief is that LastPass stated the hackers did not access their password vaults. “These are the passwords you use on other sites,” he said. “So you can leave all those be. However, you might have to change your master password.”

Read more: Hackers can attempt to guess passwords using a brute force attack …

However, if the password is easy to guess, the bad guys can use a so-called “brute force” attack where a computer attempts thousands of times per second to guess the password.

“If you have a long, very strong password, you should be OK. However, if you have used your LastPass master password on other websites, then RUN to your computer and change your master password ASAP,” Sjouwerman warned.

And there is something else to watch out for as well – the attackers made off with password hints, he said.

“That means they could send you a phishing email and trick you into revealing your password because they have the correct password hint,” Sjouwerman said. “Be especially alert when you get any email from LastPass or someone claiming to be from them.”

John Zurawski, vice president at Authentify, an arm of Early Warning, said he believes LastPass took all the right kind of precautions including encryption, anonymization and hashing. While it's unclear how this breach occurred, most breaches result from an authentication failure of some type, he said.

“The email addresses and password reminders are troubling,” Zurawski said. “The keys to an individual's digital kingdom are often an email as a username plus only a password. In today's cyber-risk climate, that is not enough.”

Zurawski added, “[LastPass] offers their end-users more than half a dozen forms of multi-factor authentication options, but they are just that – options. Most end-users are not security professionals. They won't automatically choose extra security because they don't understand the danger at a deep enough level. Stronger multi-factor authentication should be a requisite.”

Two-factor authentication should be the default setting for all new users for heightened security with the option to opt out, Krehel held. “Users should not make the mistake in thinking that encryption can protect them if they are using a weak password,” he said.