Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.
This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.
I'm not sure I follow this, the master password or at least it's hash must be sent to LP in order to log in. If, when you log into the website using your master password the webpage hashes the password and then sends the password to the server for verification that still leaves the website as an attack vector where the login could be sent plaintext to the attackers website before being hashed and sent normally. Even if it's hashed normally, the attacker could just intercept the hash and then continue to use the same hash when accessing the site. Am I missing something on the way LastPass works?