The painful thing for LastPass users who did unfortunately reuse their master password on other sites is that this case is now an *offline* attack - which means 2FA or changing one's LastPass web password (or even master password) won't help much - the attackers have a point-in-time snapshot of all the credentials in those stolen vaults. And if you were using a weak (or worse, previously leaked) master password when they were stolen, you're screwed.