[MBCook]

It means if someone hacks into their forums and gets credentials then all your passwords are open to them.

[dsp1234]

Why?

1.) LastPass login page hashes MasterPassword on the login page to produce a hash

2.) Hash is sent to the forums, and is checked against the same hash as the vault system

3.) Hash is confirmed, and you're logged in.

1.) Later hash is grabbed by an attacker.

2.) Attacker sends the hash to get the encrypted vault

3.) Attacker gets the encrypted vault

4.) Attacker is sad, because they don't have the MasterPassword, and thus have no access to all your passwords

Note that I'm not saying that they are awesome, and/or are doing the above. But it's not immediately obvious that a MasterPassword can't hash a forum login and a vault request at the same time. I mean, that's literally what the "MasterPassword never leaves the client" is supposed to mean.

[0] - https://lastpass.com/support.php?cmd=showfaq&id=6926

[nodja]

1.) Find exploit in forum software/server.

2.) Modify login.php to send form username/password to attackers server.

[scarhill]

Except there is no forum login page, just a SAML redirect to their SSO login.

[corobo]

Modify login page to have a login form

[ufmace]

At that point, it gets a little silly honestly. If you can modify the login page to have a login form, then you can also modify it to bypass any type of security system you could ever dream up. The GP here seems to want the support forum to have an independent password. Even if they did that, if we're completely changing the login form, you could change it to say "due to new security features, you now log into our forum using your master password, please enter it below". So exactly what is it that they should do, and how would that be more secure than what they're doing now?

[ComputerGuru]

And that link can be changed.

[dasil003]

0.) LastPass login page is hacked with a skimmer.

1.) Game over.