PCW: Tell me about what steps LastPass is taking to further bolster security in light of all of this.

Siegrist: When signing in, we're forcing every user to prove to us that they're coming from an IP that we've seen them come from before, or prove that they still have access to their e-mail. We think by taking those steps, we're locking down any chance that somebody that guessed one of the master passwords would have any shot of getting in.

In retrospect, we probably overthought this a bit and we're maybe too alarmist ourselves. The real message needs to be that if you have a strong master password, nothing that could have been done would have exposed your data. The only thing we're worried about is people that have weak ones. That's why we're making all these moves.

A lot of the services on the servers that were involved have also been locked down as a precaution, and we're still investigating on that end as well. We haven't found anything unusual yet, but we're still looking at it.

[Author's note: LastPass has also now said it's rolling out stronger encryption standards on its data. are available at the company's blog.]