http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html
Our next steps
This bug has been out there for a long time, so we have to assume our SSL keys could have been compromised. We requested a reissued certificate this morning, and plan to roll it out today, while we’ve already deployed the OpenSSL software update after restarting our servers this morning.
LastPass customers should not be affected by the certificate transition, we expect it to be seamless with no interruptions to service.
Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks) if those sites utilize Apache, Nginx or show as vulnerable to the Heartbleed bug. However, users should wait until their sites have replaced their certificates, with a start date after today (April 8th, 2014). For more information on replacing passwords with newly-generated ones, please see this article.
Thank you to our community for your vigilance, and we’ll provide further updates if there are any changes to the situation