The large issue with the LastPass leak is that URLs were stored unencrypted. An attacker can use that with other related data (such as email addresses and contact information) to conduct spear phishing attacks.

You don't need to brute force a vault password to get a password, you just have to get enough information to claim to be the user or the service.