lastpassPassword managers are growing more and more popular as people struggle to juggle the large amount of username/password combinations required for life in a digital world. Many of these programs are cloud-based, meaning your information is stored on the cloud in an encrypted “vault” and secured with a master password. While password managers make things a lot less complicated for Internet users, the big question is — what happens if your password manager gets hacked? Users of popular password manager LastPass are finding out.

The service issued a statement on June 15 that it had discovered an intrusion the previous Friday which exposed users’ email addresses, master password encryption information and the reminder words and phrases users are required to create for their master passwords. The master passwords themselves were not exposed, and no user accounts were accessed, but the information accessed could be used to help attackers breach users’ accounts, according to cybersecurity expert Brian Krebs. LastPass users are being strongly encouraged to change their master passwords a soon as possible.

What is LastPass doing to ensure user security?

Upon discovering the breach, LastPass immediately reset all master passwords and also made it so those without two-step verification enabled have to verify their identity by email when they try to log in from a new device. The service also contacted law enforcement and security forensic experts. It is unknown at this time how long the intrusion went on, which security experts say could make a huge difference in how many accounts are vulnerable. Accounts with weak or re-used master passwords are more vulnerable than those with more complicated passwords, and could be the targets of brute force attacks.

What should I do?

The most important thing for LastPass users is to change their master password as soon as possible. Because it is the safehold for all of your other Internet passwords, you should go above and beyond to make this password as complicated as possible. A long, strong password is advised — you can follow tips on this blog post for making a strong password. The longer and more random the better, especially with something as important as the master password for your password vault. Most user passwords are probably safe from this attack, but changing yours and strengthening it is never a bad idea.

It also might be a good idea to use a password manager that is not cloud-based, because invariably those are going to be more susceptible to breaches than a program that stores locally on your computer or device. Business Insider uncovered information that LastPass has been the target of hackers for years due to flaws in its security, which makes this hack potentially far worse than it seems. LastPass has stated its cryptographic protections on master passwords work to make cracking them nearly impossible. Additionally, all of the encrypting and decrypting happens on your device, which means LastPass never has access to the passwords you store in your vault.

Follow our identity theft protection blog to learn more ways you can protect your personal information.