The problem with Lastpass and all its kind is that it depends on a remote service/server that must have vulnerabilities. Even if you are not too concerned about the encrypted hashes stored on their server, the app depends on constant traffic of those usernames and passwords transiting from your device to their systems. Each layer presents a potential vulnerability: the app, your device, the https protocol, the intermediate devices, for example spoofing the server. Again, trusting the app allows it access to all pages you visit which again provides an attack vector. And, being used by so many it makes it an obvious target for criminals.
They have avoided major issues to date, that is no guarantee of protection in the future. You have to ask, what incentive is there for any free service to ensure the very highest security, as opposed to, say, paid services from the likes of Google, Microsoft, others - and they struggle sometimes.
You pays your money (or not) and you makes your choice.