Maybe an API is an overkill in this case. Instead, a simple web service with a twist: Zappos has a private key and LastPass has the corresponding public key. Now, if Zappos.com is compromised and the breached is discovered and fixed, their CEO/CTO/head security guy grabs the private key and authenticates to LastPass, telling them that he is in fact who he says he is, and finally triggers the massive automatic password reset. Obviously, this will not work if the private key is compromised, but then again, our whole web security paradigm is "trust that the website owner knows what s/he is doing", so this is already a step up.
Or, as I mentioned, let's do away with passwords. Anyone can have your public key so long as your private key stays private.