Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.
This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.
I'm not sure I follow this, the master password or at least it's hash must be sent to LP in order to log in. If, when you log into the website using your master password the webpage hashes the password and then sends the password to the server for verification that still leaves the website as an attack vector where the login could be sent plaintext to the attackers website before being hashed and sent normally. Even if it's hashed normally, the attacker could just intercept the hash and then continue to use the same hash when accessing the site. Am I missing something on the way LastPass works?
When you use the client I belive it downloads a nonce as part of the authentication rendering a replay attack improbable.
LastPass was not the weakness here. The interesting point, which I have not seen anyone point out, would be:
Why on earth would anyone in their right mind select a UUID for a master password? There are only two possibilities I can come up with:
1. They all knew it was the Mt.Gox key so they could copy/psate it anytime they needed.
2. They had the 'remember password' option selected in LP.
Why anyone that knows *anything* about security would think that either of those options was good is byond me. They would have been worlds better by selecting a known phrase such as "We all live in a yellow submarine" easily remembered and told over the phone, etc.