+1 bitwarden. -1 lastpass.
Lastpass likes to hork up its on-disk database and then eat 100% of a cpu core failing to load. Bitwarden has never given me this issue. Oh, and I can use bitwarden on both my PC and phone without paying them. I'm probably going to pay them for a family account (for the timed account takeover feature) and because I'm good with supporting folks doing open-source.
It is possible you have malware, or got MITM'd, but this looks a lot more likely to me as someone skimmed your credit card (which could have been months ago) and maybe got a username on a user/pass list that happens to match yours at vanguard/fidelity. It doesn't mean they got you, it could just mean your username isn't that unusual.
For MITM, you don't need a VPN. You need to pay attention to your browser telling you if the site is safe or not. The little lock icon being absent, or popups warning you about untrusted certificates are a bad sign. Otherwise, the bad guys just need to successfully MITM the VPN and then you're back to square one. The VPN is likely to throw similar warnings, but if you ignore them, well, its your personal info.
2-factor and random passwords would be my advice. Ideally, 2-factor not with a text message (or email) because that isn't as secure. Bad guys who target you specifically will con some low paid phone support lackey to reset or transfer your phone number and then they win. It requires a dude with a wrench to persuade me to give up my yubikey -- no amount of calling a low paid phone support lackey gets that.