While the overall risk is low to users who had strong passwords, it's not zero. Every year I am reminded several times that using someone else's service puts my data at risk. As of today, I have set up and deployed an instance of the open source alternative "Vaultwarden" and while it was a little tricky, it was definitely not that bad. Vaultwarden is an open source password manager. I'm running a copy of it myself on a computer in the cloud. That means there is no one to fix it if I break it, if my server crashes I have to log in and reboot it. If vulnerabilities are discovered I have to log in and update it, and so forth.
How is this better? Well Lastpass is a honeypot because it has a lot of data in it. Now I have moved my honey to a smaller pot hidden in an obscure corner corner of the internet where less people are looking for it, and the reward for finding it is dramatically low. Not worth the effort basically.
While Lastpass may not know your passwords, I suppose they could scrape some metadata like my IP address and device info, maybe the website I was logging in to. I don't know if they do this in practice, but now I don't have to worry about it.
The biggest benefit was I learned something new. I used Portainer to install Vaultwarden onto a server in the cloud. Then I used nginx proxy manager to route traffic coming in to that subdomain to the appropriate internal ip address which represents the port I'm running it on. I also had to create a few DNS records.
My vault is still online, so it's not exactly fixing all of the problems Lastpass has. It's also running on a server I don't own. While my data is encrypted and running in the cloud next to a bunch of other random apps, it could still get hoovered up I guess, but the hoover user wouldn't know what they were hoovering up until after it had been hoovered. If that doesn't make sense, lastpass was known to have a ton of passwords, so if people wanted credentials then it was a good place to look. Now I've hid my vault on a random provider's infrastructure and if someone were to try to hack that entire datacenter, they would have to sort through a lot of mixed data from a bunch of random services people like myself are running.
My VPS provider while perhaps not knowing what I was running exactly, could still scrape some but probably a lot less of my metadata, so this is an improvement but it doesn't fix it.
I think the most secure situation would he to have a server running locally in my house, but that can cause other problems, like for example, creating back ups, 24/7 up time, etc etc.
So I've made some security improvements, but I've given up some conveniences, and have arguably put my data in peril because there is no one to help should I botch it, but I learned how to do something new and that's good!