Security Rated 3 out of 5 stars
Let's suppose the current owners of LastPass sell their business.
What can prevent the new owner to modify the java script that handles the encrypted passwords, so that the modified java scripts sends the password via SSL to the new owner, as plain not-encrypted text?
Is the java script/extension code at least open source for public inspection?
This is not a big threat
If LastPass was sold, the company that bought LastPass wouldn't destroy the value of it by doing something like this. They'd have to release an update for this to happen as well, which would be closely watched.
You can watch any SSL request and see the data that's sent across using Tamper Data for Firefox or Fiddler2 for IE -- we advertise this stuff so people can make informed choices and verify for themselves what LastPass is doing: https://lastpass.com/faq.php#howcanilook
Let's compare using the built in Firefox password manager to using LastPass -- in both cases you have to worry that the company making the product doesn't go rogue, fine. In both cases you could look at the source code to see but an exceptionally low number of people actually would.
Where they start to separate is in Firefox's case you have to also worry about every other program you run on your computer, knowingly or not: spyware, malware that you accidentally run can instantly grab your passwords (LastPass' windows installer shows this threat). Trojans like Torpig collected 38% of their data directly from the built in password managers.