It looks like the only relevant data that was unencrypted are the URLs [0]. I'm guessing that was some sort of design decision they made for the browser extension to be able to see if you had a password for that site.
If anything, apart from leaking the domain, which could still be a privacy issue, they should have at least sanitized the URLs to remove usernames or tokens if they were going to automatically save those URLs to the vault. I can guess that not doing so allowed their auto-login function to work on some websites by saving the login URL endpoint, but all I'd really want is the vault to keep the sanitized domain.
If anything, apart from leaking the domain, which could still be a privacy issue, they should have at least sanitized the URLs to remove usernames or tokens if they were going to automatically save those URLs to the vault. I can guess that not doing so allowed their auto-login function to work on some websites by saving the login URL endpoint, but all I'd really want is the vault to keep the sanitized domain.
[0]: https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass...