They lost data months ago, but are announcing it now? Those poor security professionals having to deal with this over New Year's.

IMO, the way to judge a security company isn't whether they get hacked - but how quickly they let users know so those users can cycle all passwords.

For any users that might have someone with large decrypt resources (e.g. national actor) interested in what they might be doing, the best time to switch to a different manager and cycle all passwords was months ago. Second best time is right now. If it took them months to announce this. I don't think they're hiding any more - why would they given that the holidays are a perfect time to dump (erm... post) them? But if you stay with them and this happens again, and they don't tell you - that's on you.

That said, there are issues with how LP encrypts the local database (method of encryption, number of iterations, fields encrypted, db-wide checksums / hash).

On top of all those issues, LP is now owned by private equity. Think they're going to spend any money to fix things, or just focus on looking good so they can extract as much rent as they can?

Do yourself a favor...

All that said, 1Password was one of my finalists, but I ended up picking Bitwarden as it checked all my boxes plus was open source (gotta love O/S), and has been through a number of audits (multiple partials plus one full one I'm aware of) - and you can self-host.

Oh: if you're using LP corporate because you can 'hide' passwords from people you're delegated them to - don't believe LP on that one. There's a checkbox that lets you 'show' the password to your delegate-ee, but if you've left that unchecked they can see it by turning on browser debugging. Not... exactly lying on LPs part, but I see it as misleading.