While true, LastPass derives the encryption key from your master password using an algorithm called PBKDF2. There are guidelines for how many iterations of the PBKDF2 you're supposed to use--on the client side, server-side iterations are mostly irrelevant in regards to overall security. LastPass failed to follow these guidelines and failed to guarantee those who had vaults prior to each increase in the recommended iterations--or at least whenever LastPass actually increased the number by default for new vaults--were encouraged to login asap and re-encrypt their vault with a key using the new default number of iterations to derive the key from their master password.

The current guidelines--which LastPass was informed of by OWASP--are to use at least 600,000 iterations. Only after being breached did the increase it...but only to the previous recommended number, 310,000. However, as of the breach that saw vault backups stolen, there were still some vaults that had less than 310K, even as low as 1 for a few people who've been customers for a long time.