[aborsy]

Suppose that LastPass is compromised. What can an attacker do? Passwords are encrypted, with keys on users’ side.

Short of serving customers malicious JS code or an app to steal passwords, the production environment referred in the article can be made totally public, without secrets in vaults bring revealed, no?

[advisedwang]

I suppose you could phish people into leaking the master password

[pcthrowaway]

Or inject malicious code into the apps/extensions to get users to submit their master passwords

[eurasiantiger]

Maybe sneak in an altered copy of the LastPass app by offering it as a security update by email.