Basically yes, but the difference in threat potential between “random person” and “person who controls access to the secure passwords of many thousands of people, most of them more tech savvy than the average user” is exponential.
No? You'd have to carry out the third-party software RCE on each individual user to install a keylogger. This attack installed a keylogger on a single computer, then exfiltrated millions of passwords. Centralization is a bad thing. Same modus operandi maybe, but nowhere near the same impact.
Yes, but the article made it seem like they had RCE to his home PC. With that they installed the keylogger to retrieve the master key which they then used to decrypt the offline vault.
I think the point is that all of the users of Lastpass whose passwords were put at risk through this one breach. Using Lastpass means that a single, high-value target is now an attack vector that can affect you. If you keep it offline yourself, you're not likely to be a high value target, and you won't have to worry about the 3rd party with your passwords being compromised.
