In September, LastPass said, "We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults."

In the blog post which addressed the latest breach, LastPass acknowledged the bad actors were, in fact, "able to gain access to certain elements of our customers’ information".

It is indeed awful that bad actors captured LastPass passwords, but those can be changed. But customers base their response actions on what LastPass communicates to their users. It's really bad to say "everything is fine", followed by a gigantic "well, hold on now..."