In a , LastPass said it first noticed a network traffic irregularity on Tuesday morning when looking at the logs for one of its non-critical systems. It decided to dig deeper into the problem after it was unable to find a root cause for the problem.

"After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)," the blog post noted.

Because LastPass has been unable to account for this anomaly, it has decided to assume that the database has been compromised. The amount of data that was transferred out of its system is big enough to have contained people's email addresses, their salted password hashes and the server salt, LastPass said.

Salting is a technique that is used to make it harder for people to misuse stolen passwords. A randomly generated key is added to the password before it is obscured, or hashed.

"We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blob," LastPass noted.