I don't use LastPass, but one thing that impresses me about their blog post: they didn't hide behind "your passwords are hashed" or something equally weaselly, but instead said exactly and clearly how passwords are hashed. Every online company should take note.
I would also appreciate more detail, but that shouldn't be their first priority.
They note that they discovered the breach on 'Friday' so I imagine they have an ongoing Incident Response right now. They may not have or be ready to share this information at this time, and that's fine. They might be working with law enforcement, further hardening systems, and continuing to confirm their findings to date to ensure they've mitigated the full impacts.
What's important now is conveying how users are impacted and what steps they should take to protect themselves; hopefully the rest comes in time.
Another pain point is the delay from Friday's discovery to Monday's disclosure. While it's better than the sometimes weeks other companies have taken, it screams of the discovery happening at 4pm on a Friday, and everybody then saying "bah fuck it, go home for the weekend, we'll work on it Monday". A security compromise like this should have been made known by Saturday at the latest, and worked on over the weekend. 3 days is a long time for leaked passwords to go unnoticed to users, regardless of the encryption scheme being used.
Yeah people really need to take the time to read this before everyone freaks out and shouts, LastPass is broken switch to <xyz> service today before you are pwnd by hackers!
It really is a great post and they always have action items for their users to protect their security. I have really enjoyed using them and will continue to do so.
