That is the problem with all password managers, either the data is held locally, so you have to find some way of keeping various devices in sync yourself, without using a cloud service, or you use the convenience of a cloud service to automatically sync the password database between devices.
As soon as you go for a convenient solution, you lose a point of security, but you gain flexibility and redundancy, without having to worry about it yourself.
If you have the data on the cloud, you are at risk if the cloud service gets hacked - whether that be a password manager cloud, or iCloud, OneDrive, GDrive, HyperDrive etc. If you have it local and your system is hacked, the encrypted blob is available to the hacker as well. If you are hit by crypto malware, your blob won’t be accessible, unless you made your own backup.
Likewise, if you use your own private cloud (a NAS with DynDNS or a server running NextCloud etc.), you have the same problems as the full cloud services, with the added point of you probably not being a full systems administrator, security expert and pen tester, so your system probably isn’t as well implemented and secured as a professional cloud service - especially if you don’t keep it updated.
You have to place your trust somewhere, and if you are using a PC, tablet and smartphone, a dedicated cloud service makes the most sense, as they should be professionals and they should know what they are doing… Even with the LastPass data leak, they only have the encrypted blob, the usernames and passwords should still be secure, the hackers will need to brute force each blob individually, as “everybody” has their own strong master password, so it will take millenia to break into each blob, using current brute force techniques and state of the art hardware.
Unless they strike lucky - they start on your blob and you used a weak password that is easily guessed - you will have several lifetimes in which to go around and change all your passwords.
I’ll phrase the following generically, as it is pertinent to every password manager, whether it is using the password manager’s own cloud, a cloud service like OneDrive etc. or is stored only on your local PC or your own private cloud.
Do you need to change your master password?
If it is strong, not really, it won’t change anything, as the hackers have your blob and changing your master password won’t affect the extracted blob. Only if they still have their fingers in the host system, where the live blob is stored, will they be able to check back in and see your changed passwords, once they have cracker your master password.
Do you need to change your individual site passwords?
This is probably a good idea, but triage your data and prioritise what needs changing - banking, social media and shopping sites need to be top of the list, as do Apple, Google, Microsoft etc. Forums or sites without financial data about you can be bumped down the list, they would be annoying if you lost control of them or somebody logged in as you and spammed them, but they aren’t priority number one.
Should you change the password manager you are using?
All of them are vulnerable to this sort of attack, so there is no guarantee. You could swap from your current PM to a new one, just as they get hacked… You could find yourself in an eternal hell of constantly swapping password managers. If they have done a good job securing your blob & you are generally happy with the service, there is no reason to jump on day 1. If they are getting regularly hit, then is a good time to move.
In the explicit case of LastPass, they were hit twice within a couple of months, the first time, they managed to get some source code and enough information to phish an employee to get access to encrypted cloud backups, including the encryption keys, which is how they managed to get the blobs. Two incidents within a couple of months says to me, that they dropped the ball on user training after the first attack.
Secondly, it transpires that important, but not critical security information, such as the URLs to the individual entries in the safe, were not encrypted, only usernames, passwords and secure notes. This makes the decryption on the client a little quicker, but given today’s hardware, I would have expected all information to have been encrypted.