The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.
Unless they (or someone compromising their servers) decide to store it. Because they absolutely could, and you wouldn’t even notice. E.g. when you enter your master password into the login form on their web page.
But it’s not just that. Even if you use their browser extension consistently, it will fall back to their website for a number of actions. And when it does so, it will give the website your encryption key. For you, it’s impossible to tell whether this encryption key is subsequently stored somewhere.
None of this is news to LastPass. It’s a risk they repeatedly chose to ignore. And that they keep negating in their official communication.
Yeah…