(no title)

That said, I have not dwelled to details of how LastPass handles the site design to avoid unintended leaks, (I believe the issues with leakedin are simply unintended mistakes rather than attempted malice) but I sure as hell would avoid using or recommending their services should I find mishandlings of the data within such trivial applications.

About (2), It matters in the sense, that we have to assume that all of the sensitive data which has been leaked before will continue leaking until they have identified the vuln. The worst thing a user can do, is to insert a recycled password and consider the situation resolved.

Should the hacker still have the backdoor open, he'll just steal the new keys as well. Salting helps a bit, but it's far from solving the problem.

What I'm proposing is that people should change the pw twice. First instantly (and not recycling) and then when LNKD has confirmed that this individual attack vector has been closed.