This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.
You just need to install Lastpass on your new computer and enter your password. It will download your passwords from the encrypted server.
Have either of you used LastPass? Its possible to login to your account via the website without downloading/installing anything. Therefore the password does get sent to their servers. Not that any of this is entirely relevant to the situation...
Storing passwords for all system components behind one password/access point is a most obvious and deliberate insecurity.
No. The easiest way to understand why that is so is to explore the alternatives. It's a lot easier to keep one password (which might include two factor auth) provably secure than several. I don't have to plan for my LastPass password getting broken since it's heat-death-of-the-universe-unfeasable for someone to break it. Thus the risk management is at an optimum.
You don't gain security if you split it up - only obscurity. Increasing the number of different passwords someone needs to remember also increases the risk for people to invent "password schemes", which all lessen security due to lowering entropy.
Bitcoinica using LastPass wasn't a problem. Using a known string as master password was.
I understand what you are getting at and in the technical sense only I agree. But having access to each system component distributed between different username and password combinations, even if they tend to follow a scheme or formula, still requires more effort to break into each one than to compromise one account that gives access (information) for all of the components. An attack on that one account may for now be technically unfeasible, but combined with a leak and/or stupidity as in this case, the results were far more catastrophic than they might have been had passwords not been centrally stored.
I feel that this whole episode would benefit from a means of questioning the Intersango Trio, Mt Gox and others involved without the mudslinging and angry rants that account for 80% of this thread. We need a clear and detailed chronology of events (which can then be further interrogated) so that everyone is on the same page about what did/not happen. Clear information about the existence of any investigations or legal action would also be helpful in working out solutions to all of the issues described.
BB.