I agree this isn’t the worst-case as you mentioned above. However, it is far from the best case scenario which is closer to “only fake testing vault data was exposed”.
The vault leak is acceptable in terms of Lastpass’s formal threat model but could still result in real user pain e.g. targeted spear phishing using plaintext fields like URLs, or compromise for users with weak passwords.
The vault leak is acceptable in terms of Lastpass’s formal threat model but could still result in real user pain e.g. targeted spear phishing using plaintext fields like URLs, or compromise for users with weak passwords.