I get why they can't provide details. But a close read of that incident report doesn't answer whether they even know how it happened. Did I miss something?
With these types of incidents, you want to make sure you have the facts before you make claims. They are probably doing tons of investigation to figure out what actually happened. This could be difficult depending on the level of sophistication of the attackers.
If LastPass says "Attackers took everything" when the attackers only took a few non-identifiable pieces of info; it will be a huge non-recoverable media event about attackers taking everything even if it's not true.
If LastPass say "Attackers didn't do anything" but stole a lot of sensitive info, then it makes LastPass look incompetent.
This is really a situation where they need to understand the scope of the situation before making a detailed comment.
