Basically yes, but the difference in threat potential between “random person” and “person who controls access to the secure passwords of many thousands of people, most of them more tech savvy than the average user” is exponential.
No? You'd have to carry out the third-party software RCE on each individual user to install a keylogger. This attack installed a keylogger on a single computer, then exfiltrated millions of passwords. Centralization is a bad thing. Same modus operandi maybe, but nowhere near the same impact.
Yes, but the article made it seem like they had RCE to his home PC. With that they installed the keylogger to retrieve the master key which they then used to decrypt the offline vault.
I think the point is that all of the users of Lastpass whose passwords were put at risk through this one breach. Using Lastpass means that a single, high-value target is now an attack vector that can affect you. If you keep it offline yourself, you're not likely to be a high value target, and you won't have to worry about the 3rd party with your passwords being compromised.
This cannot be overstated. The online managers have an absurd amount of complexity. Just think of all the millions already spent tracing back the attack, writing these statements, all the turmoil inside the company... just for the convenience of synchronizing passwords seamlessly.
I'm using offline keypass. It's great.