I just deleted, regenerated, and re-associated Google Authenticator and then altered the number of iterations from 10,000 to 10,001 (causing it to re-encrypt the database). None of this is really required but it has invalidated much of the information they could have stolen.
The thing that really bugs me about this, is the email address. I have a very low spam level on that account (sub-1 per day on average) and I want to keep it that way. Last thing I need is someone to dump this theft onto a Pirate Bay-like site and then to get spammed by everyone and the kitchen sink.
I presume he is under the assumption that the secret seed to the OTP algorithm was compromised.
By disabling / deleting your OTP token and re-adding it, you are essentially re-generating this seed.
I am not sure I understood the comment "altered the number of iterations from 10,000 to 10,001 (causing it to re-encrypt the database)", care to elaborate @Someone1234?
LastPass double-hashes (ignoring iterations) master passwords. It has a client component based on PBKDF2 and a server component (per this article) also PBKDF2 based.
If the bad guys stole the hashes after they were hashed by LastPass's servers then changing the client iterations wouldn't do a damn thing. However because LastPass have an unknown network compromise one could worry that the bad guys intercepted LastPass client-hashed passwords between the client and server.
IF they modified the LastPass client, they could have it send LastPass's servers the already client-hashed password and therefore login even without knowing someone's plain text master password.
By altering your account iterations even by 1, you've now effectively forced them to decrypt the client hash (to plain text) before they could use it to login to LastPass's servers.
Again this only helps if they intercepted network traffic on LastPass's internal network.
PS - The OTP thing is as you said.
PPS - A better idea is just to change your master password.
The thing that really bugs me about this, is the email address. I have a very low spam level on that account (sub-1 per day on average) and I want to keep it that way. Last thing I need is someone to dump this theft onto a Pirate Bay-like site and then to get spammed by everyone and the kitchen sink.