It presents no security risk because:
- The master password is never directly used for accessing the kdbx file or the Kee Vault authentication server. Instead, two different and cryptographically unrelated 256 bit keys are created - one per the usual kdbx access process (Argon2) and one using PBKDF2 (SHA-256 500 iterations).
- The resulting Kee Vault authentication key is never sent to the authentication server - instead SRP is used to verify both the server and the client (user) are who they say they are.
This means that server-side compromise reveals only an SRP verifier. Breaking this (cryptographically close to impossible - no one has done a similar thing yet) reveals only a 256-bit secret key that is unrelated to the information needed to open the kdbx file. In that worst-case scenario of SRP being broken, any attacker would still need to brute force via the PBKDF2 protected secret key before a master password could be revealed.
Additionally, the secret key contains salts including your email address to protect against large-scale (untargeted) attacks. Since your email address is AES encrypted in the database that contains the SRP verifier, this further reduces the chances that a remote server compromise is a feasible attack vector. All this essentially combines to mean that a client-side attack is the only feasible risk in this regard, and no client-side attacker is going to find that breaking SHA-256 or brute forcing PBKDF2 is the easiest approach to take once the client is compromised.