Tihan is right.. patrick/amir/donald should've changed the LastPass master password, if not created a whole new account (using a different e-mail, not
info@bitcoinica.com which is a big red flag). Not to mention securing the MtGox account. Hell, zhoutong should've revoked those API keys that day long ago (he even said the hacker could've used them).
The API keys were revoked immediately, read the beginning of the last "hack" thread. The problem this time is that the withdrawal was via a normal login, which wasn't protected with 2 factor authentication.
As for the API-key-as-a-master-password fuckup, well I don't have enough info on that to make a judgement. Was that password implemented in the assumption that the source would not be released? Perhaps that's what it was set to AFTER the previous hack (stupid)? Maybe no one correlated it with the API key, and didn't realize the significance?