Today LastPass, the online password storage site, announced that they detected a security breach on their network last Friday. They further state that there was no evidence that encrypted user vaults, which contain the passwords, were taken or user accounts were accessed. Unfortunately, account email addresses, password reminders, and authentication hashes were accessible to the hackers. Though LastPass states the authentication hashes are secure with thousands of rounds of SHA256 encryption, they are asking people to verify their accounts again and update their master password.
It may be true that user's passwords are secure, but the information that was accessible still poses a major security risk. Criminals can use this information to create targeted phishing campaigns that can be used to trick people into entering their master passwords or other sensitive information in order to gain further access to a victim's LastPass account.
Unfortunately, LastPass decided not to immediately send emails to all affected users and only posted the announcement today; 3 days after the security breach. There are already numerous comments from LastPass users on the announcement page on how they feel LastPass did a bad job handling the situation and notifying their users.