According to the wiki, a one-click exfiltration vulnerability has existed for more than half a year and hasn't been fixed:
> In their default configurations, these extensions were shown to be exposed to a DOM-based extension clickjacking technique, allowing attackers to exfiltrate user data with just a single click. LastPass version 4.146.8 (September 12, 2025), which was intended to address the issue, remains vulnerable
Update, with Apple's 'Passwords' app, it appears all someone needs to do to get access to every single stored password, is grab your iPhone while it's unlocked, or sneak it from you while sleeping and use face id to unlock it.
Or, they could shoulder surf to get a 6 digit pin to unlock the phone, then steal it, then they're in.
Seems way less secure than 'Correct Horse Battery Staple'.
> In their default configurations, these extensions were shown to be exposed to a DOM-based extension clickjacking technique, allowing attackers to exfiltrate user data with just a single click. LastPass version 4.146.8 (September 12, 2025), which was intended to address the issue, remains vulnerable
https://en.wikipedia.org/wiki/LastPass#Security_incidents