Since the OP did not have 2FA, some likely attack vectors include:
- Phishing
- Shoulder surfing
- Key logging or other information-stealing malware
- Social engineering
- Non-random master password
- Improperly secured record of the master password (e.g., written on Post-It note; stored in vault left unlocked, etc.)
- Inadvertent disclosure of the master password (e.g., typing into wrong window when another app steals focus)
- User left one of their devices unattended in a location where access by other persons was possible
- User logged in to their vault on a public computer or any device that they do not have full control over
- User downloaded an unencrypted vault export without taking proper precautions