I (mostly) stopped using LastPass a couple years ago for reasons unrelated to this, but it seems multiple password-leaking vulnerabilities (and other dangerous exploits) have been discovered recently:

LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.

However, due to the discovered vulnerabilities, simply browsing a malicious website would be enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Ormandy could be exploited by tricking it into granting access to the manager's internal data. It can also be potentially abused to execute commands on the victim's computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage.

-https://www.theregister.co.uk/2017/03/21/lastpass_vulnerabilities/

Even though I no longer use LastPass for new passwords, my account still has many old passwords I haven't updated in a while, and I have kept the extension installed because of that, since it seems to work more reliably than the extension for the password manager I switched to. So maybe it's time for me to fully ditch LastPass.

I opened up Windows Explorer just now and was greeted by this:

Cryptographers refer to the attack disclosed Thursday as an "identical-prefix" collision, meaning it allows the attacker to create two distinct messages that have the same hash value. This variety is less powerful than the "chosen-prefix" MD5 collision carried out by Flame. In the latter case, attackers can target one or more existing files, such as the digital certificate that a company uses to authenticate its update mechanism. Despite the collision against SHA1 being less powerful, cryptography experts said any real-world identical-prefix attack represented a game-over event for a hashing function.

"In crypto we have the idea that hash function collisions should be really hard to find, even if they're 'useless,'" said Johns Hopkins University professor Matt Green, speaking generally about collisions before he learned the specifics of the new SHA1 attack. A real-world collision attack "is the equivalent of finding out that your scalpel wasn't sterilized properly. It may not verifiably have germs on it, but the whole instrument is considered unsafe."

-https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/

Read more here:
https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/