[ViViDboarder]

The additional justification there seems to ring true to me at least. If you had machine access, why not download the database from the “trusted” (compromised) machine? Why not extract the plain text passwords when they unlock their vault? How would it impact users who hadn’t logged into their accounts in years?

Malware doesn’t seem to fit to me.

[jmull]

Consider if you have key logger logs you’d like to profit from. What do you look for? Login credentials is a good idea… which login credentials should you target? Password manager credentials seem like a good idea, since that gives you full login details for anything else else you might want.