LastPass was hacked just six years ago... how short our collective memory is https://blog.lastpass.com/2015/06/lastpass-security-notice/

As far as getting actual password data, yes, the attack surface is the clients, and as the most common client is presumably the browser plugin, it's probably the most likely to be attacked.

From my interactions with LastPass' support, I'm not sure. They rely on security by obscurity in some parts, I wouldn't be surprised if they did in others.