This is one of the things that scares me. If an attacker had access to dump their credential digests, could they also have modified the site to silently log credentials upon entry?
From their statements so far, it doesn't seem that happened, but it seems likely that it could.
It's a whole different cup of tea though, this compromise required the attacker(s) to go in, download data and get out. Your scenario would also require the attacker to have changed their site and go unnoticed for any significant amount of time.
If that was the case I'm sure Lastpass would've found out and reported as such.
