Users who use the same username/password everywhere...
...were unaffected.
But then again, they wouldn't be using LastPass.
LastPass has fixed a security bug that potentially allowed malicious websites to obtain the username and passphrase inserted by the password manager on the previously visited site. In other words, if you visited website A, and LastPass automatically injected a username and password for you to log in, and then you surfed to …
Ah, It's 2019 and there has not been a LastPass breach for at least 12 months. Mind you, I used to bank with NatWest so I should be used to, "hey so soz but we forgot to tell you that there is no security on our app. LOLZ!"
I'm not 100% sure on their statement as the report says
"you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc)"
As many now use the Chromium backend (and it's reported on the Chromium blog), I'm not sure how valid a statement that is.
Easier said than done. I could see no version info in my Lastpass vault; I had to check the version on the executable, and it was still a 4.1 version from August. Nor could I see an update function; eventually I had to uninstall the 4.1 version, then download and install 4.33. Not a big deal, but equally not very helpful.
It's only a single point of failure if you shove everything into it. I don't know anyone who does that even with LastPass or ANY password manager.
None of them ever get my email, banking info or ISP stuff. Keeping my recovery route for all of those passwords in there under my control.
It's still vastly better than reusing passwords.
The problem with this type of article is that it puts a subset of users off using password managers because of "flaws"
In this case the day to day risk is probably negligible for the vast majority of users, therefore password managers are still a net gain for your average keyboard masher.