It's a whole different cup of tea though, this compromise required the attacker(s) to go in, download data and get out. Your scenario would also require the attacker to have changed their site and go unnoticed for any significant amount of time.
If that was the case I'm sure Lastpass would've found out and reported as such.
If that was the case I'm sure Lastpass would've found out and reported as such.