So original article is down, but this sounds like people who used the same password as their master and in some _other_ service that has been leaked. ie a user who's lastpass master pass is same as their facebook. Very different from having LastPass leak master pass. Is this the same issue or a case of LastPass not getting the situation?
> I guess they have no incentive to admit a breach
It's an interesting game: Reputation is essential to their business. Admitting a breach will harm their reputation, denying it and then getting caught will harm it a lot, but denying it without being proven wrong will probably harm their reputation less (than an admission).
Personally, I'd rather trust a provider that admits a breach, provides transparency, demonstrates good incident response, and hasn't shown complete incompetence from the breach than a provider that has credible rumors of a breach and no good explanation, but I think I'm in the minority here.
Notably, TeamViewer had one of these "rumors but denying a breach and claiming credential stuffing" cases (they later admitted that they also had an earlier but unrelated intrusion that they kept secret for three years, which doesn't help). I think that if it was more than credential stuffing (that's a big if, the credential stuffing explanation is plausible), the strategy worked much better than admitting a breach.