This title is so manipulative and misleading. The attacker stole a mountain of AES encrypted blobs, so unless this threat actor has broken AES already, it'll probably be decades before they'll be able to peer into your secrets.
Incorrect. It turns out your "vault" is comprised of unencrypted and encrypted fields. Unencrypted fields include URLs. If the attacker publishes this data, or sells it to somebody who does, this will be Ashley Madison x100.
It looks like the only relevant data that was unencrypted are the URLs [0]. I'm guessing that was some sort of design decision they made for the browser extension to be able to see if you had a password for that site.
If anything, apart from leaking the domain, which could still be a privacy issue, they should have at least sanitized the URLs to remove usernames or tokens if they were going to automatically save those URLs to the vault. I can guess that not doing so allowed their auto-login function to work on some websites by saving the login URL endpoint, but all I'd really want is the vault to keep the sanitized domain.
I used LassPass up until a few years ago. I've received three separate password reset emails this week for accounts I seldom use and haven't visited in months.
Someone is out there using whatever data or metadata was unencrypted.