https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/

LastPass finally admits - those crooks who got in?
They did steal your password vaults, after all

Two-factor authentication (2FA) didn't help in this particular attack.

We're guessing that's because LastPass, in common with most companies and
online services, doesn't literally require 2FA for every connection where
authentication is needed, but only for what you might call primary
authentication.

To be fair, many or most of the services you use, probably including your
own employer, generally do something similar.

Typical 2FA exemptions, aimed at reaping most of its benefits without
paying too high a price for inconvenience, include:

Doing full 2FA only occasionally, such as requesting new one-time codes
only every few days or weeks. Some 2FA systems may offer you a "remember me
for X days" option, for example.

Only requiring 2FA for initial login, then allowing some sort of "single
sign-on" system to authenticate you automatically for a wide range of
internal services. In many companies, for instance, logging on to email
also gives you access to other services such as Zoom, GitHub, or other
systems you use a lot.

Issuing "bearer access tokens" for automated software tools, based on
occasional 2FA authentication by developers, testers and engineering staff.
If you have an automated build-and-test script that needs to access various
servers and databases at various points in the process, you don't want the
script continually interrupted to wait for you to type in yet another 2FA
code.

Requiring 2FA only for the first login from a new device, such as a new
mobile phone. This minimises the number of times you need to go through the
2FA process yourself, while nevertheless preventing crooks from simply
trying out your passwords on their own devices.

In its previous breach notifications, the company had carefully spoken
about customer data (which makes most of us think of information such as
address, phone number, payment card details, and so on) and encrypted
password vaults as two distinct categories.

This time, however, "customers' information" turns out to include both
customer data, in the sense above, and password databases.

Not literally on the night before Christmas, but perilously close to it,
LastPass admitted that:
"The threat actor copied information from backup that contained basic
customer account information and related metadata including company names,
end-user names, billing addresses, email addresses, telephone numbers, and
the IP addresses from which customers were accessing the LastPass service."

Loosely speaking, the crooks now know who you are, where you live, which
computers on the internet are yours, and how to contact you electronically.

The admission continues:
"The threat actor was also able to copy a backup of customer vault data."

So, the crooks did steal those password vaults after all.