According to [1], there were 5,000 client-side rounds of SHA256 in key derivation in June 2015.
It does sound like a missed opportunity to have an at-login upgrade mechanism to upgrade KDF rounds that can be carried out seamlessly or near-seamlessly during the login process. Or at least actively nudging users to change password and thus raise their KDF rounds that way through the default.
It does sound like a missed opportunity to have an at-login upgrade mechanism to upgrade KDF rounds that can be carried out seamlessly or near-seamlessly during the login process. Or at least actively nudging users to change password and thus raise their KDF rounds that way through the default.
[1] https://blog.lastpass.com/2015/06/lastpass-security-notice/