Never was a more timely question asked.
I have been using LastPass for about a year now, and as a rresult of this thread I have just removed it.
First to answer your question, my understanding of how they do that is that when a vulnerability has been announced and they get a copy of the compromised accounts from their security partner (sorry I've forgotten who that is) they then cross check the list with the email address you used to create your LastPass account. I've never felt the security was a problem and I really liked the cross platform operation, both on OSes (Win and MAC) and across browsers (for me Chrome, IE, and FF).
So here is why I removed it today. Lately I have noticed what appears to be an unpublished cap on the number of entries you can have in the database. Roughly 24, but to be honest I was so pissed off I didn't bother counting. The manifestation of this was that I started to lose entries when I created a new one. So, I'd go back to recreate the entry and then later - some times days or weeks - would discover another important entry missing.
I wanted to tell you the above security thingie today so of course I came here to the web site (I ready the headlines via RSS btw) and asked LastPass to enter my details. Which it did. And incorrectly so. There is a feature within the LastPass database (The "Vault") that hides passwords, but you can click a link to reveal them. It seems that LastPass saved my password as ********. Yes, that's right, a string of asterisks.
I frequent this site although I'm more of a lurker than anything else. But I'm here everyday to read something of interest that has surfaced in the RSS feed. As a result I was severely ticked off when this happened. I no longer can use LastPass, can no longer recommend it and will at every opportunity campaign against its use.
I have been irritated with their support level as well for some months. When I first noticed the issue with disappearing credentials, I tried to send a support email. Nope, not possible. Instead, you are directed to a "Support" page with several dozen links to help articles that for me never had anything to do with my problems. You can search on key words, but that's an imperfect form of black magic, even with the best search engines. And no where is there a "Contact Us" link. Christ, that's the type of thing I tell people is a sign of things to stay away from.
So there you have it. I still think the idea is a great one. Before I hit the limit on entries, LastPass did everything I asked of it. But once I hit that magic spot, everything came apart.
Having said all of this, I acknowledge that having played with computers for roughly 20 years, and supported them at a University for 15 of those years means I am no expert. So, if someone else had a good experience with LastPass and feels *I* have made a mistake or could have easily solved my problem with the service, please do let me know.
In the meantime, I will be taking recommendations for a new password keeper because I am pathetic with the remember a password doing thing.