Is LastPass obliged to transplant a hook for master password grabbing whenever NSA makes the request?<p>I find it hard to believe that there has been no such request and something tells me it's easier to install a hook into every LastPass browser plugin downloaded.
Lavabit had a gag order so we really don't know what we need to know in order to accurately assess the situation. That fact's probably enough to conclude you shouldn't trust a company you believe the NSA or allies' equivalents with anything you'd want to believe is secure though.
LastPass has been compromised by hackers before; I think this incident happened last year. Since then, I stopped using LastPass and now I use KeePass, whose database rests on my desktop.