The text in the original post above is missing the embedded link in the "Zero Knowledge architecture" that appeared in the original post on LastPass' website. Here is that link, where you can see their "Zero Knowledge" security architecture:
https://www.lastpass.com/security/zero-knowledge-security
Scroll down until you see the diagram showing how the Master Password is converted into an encryption key. If the customer is using the basic product without multi-factor authentication, then the effective strength of the key is the strength of the user-chosen Master Password. LastPass provides guidance on how to choose a strong Master Password. I view that as their "get-out-of-jail-free card". The truth is that most people choose poor passwords, and LastPass knows it. If a vault is compromised because of a weak Master Password, LastPass can point to their guidance and claim that the user did not follow it.
If the attacker exfiltrated copies of user password vaults, then they can bypass LastPass and apply whatever resources are available to them to attack the vaults.
Furthermore, there is no time limit. There may be new tools, new methods, or previously unknown vulnerabilities that may be exploited to attack the vaults whenever those capabilities appear in the future.
In my opinion, the convenience of being able to sync multiple devices with a common password vault stored on the internet is not worth the long term risks. I have been opposed to the practice ever since LastPass debuted it many years ago. The risks were obvious then, and now they have come home to roost.
My advice to LastPass users would be to:
- Change the Master Password immediately. Make sure it is strong. Very very strong.
- Go through each individual password in your LastPass vault one by one and change them. Yes, it means changing them for each website or other use, but it also means that if the LastPass attacker cracks your vault, they get nothing because the passwords have all been changed. Yes, it will take a lot of effort.
- Think about the tradeoffs between the extra convenience and the long term risks associated with storing passwords on the internet.
- Consider using a locally stored password vault instead, with appropriate safeguards and regular backups, the same as what you should be doing for your computer anyway.