At this point, I recommended that users change their master password, which would also re-encrypt their password vault, based on better safe than sorry. With local access to the encrypted databases, this becomes a lot easier to pull off but is still dependent on the user either having a weakly constructed master password or one reused across services, including one that has been compromised. Unless, of course, they used brute-force methods to try known passwords from other breaches. This meant the attacker now had customer password vaults but not the means to open them.
LastPass attacker stole customer password vaults
