LastPass posted an update on its investigation regarding a couple of security incidents last year, and they sound worse than we thought. The hackers infiltrated a company DevOps engineer's home computer by exploiting a third-party media software package. They implanted a keylogger into the software and captured the engineer's master password for an account with access to the LastPass corporate vault. After they got in, they exported the vault's entries and shared folders with decryption keys. The company insisted all sensitive customer vault data, aside from some exceptions, "can only be decrypted with a unique encryption key derived from each user's master password." The company added it doesn't store users' master passwords.
– Mat Smith