Users of the free browser add-on LastPass, which offers secure online password and form management, have found themselves forced to change their master password. This follows an announcement by LastPass after it detected an unexplained “anomaly” in one of its machines’ network traffic logs.

After failing to adequately explain the cause, LastPass has taken a “worst-case scenario” approach to the anomaly, assumed it represents some form of security breach – the amount of data transferred was large enough to have contained enough sensitive information to have enabled any hacker to attempt to brute force insecure passwords – and triggered a mandatory password change for all users.

LastPass users will need to reset their passwords when prompted after attempting to log in, or by visiting the account reactivation page. Enter the email address you use to log into your LastPass vault, then wait for an email containing the link you need to use to re-enable your account and change the master password – check your spam folder if it doesn’t arrive promptly.

As part of LastPass’s response to this potential threat, it has rolled out a new cryptographic key derivation function, PBKDF2, which improves security on the server and helps protect against future potential breaches. At present it’s only used on the LastPass servers, but will be rolled out to browser extensions in a future update.

Lastpass is available both as browser add-ons and as a standalone 32-bit and 64-bit universal installer for Windows, Mac and Linux.