This is not an accurate report of the situation. LastPass noticed some bizarre traffic coming from one of their servers. They immediately notified users of this and forced a master password reset. "We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs." In the end they concluded that either no or a very very very very small portion of data was breached (no one could actually prove any data was taken). All of that data was very securely encrypted and required the user's master password, which is supposed to be 12+ characters at a minimum, to get the underlying passwords. They brought in multiple external security firms to help audit. The real problem was that they reacted in an overkill way--they were too responsible in their disclosure, leading people to believe that the end result was that they were thoroughly hacked.
That's the summary of the event:
"For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on."
You can trust LastPass.