LastPass risking a €20 million GDPR fine due to unresolved bugs


Level 73
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
In the EU, data privacy and the way a company manages a private person’s data is taken very seriously. This is in stark contrast to the way data privacy is handled in the United States, and if a company from the United States should wish to do business in the EU, they must follow the GDPR guidelines or suffer potentially grave consequences.

These are not empty threats. In July, Amazon Europe paid the largest GDPR violation penalty in history. The retail giant was ordered to pay a whopping €746 million after a 10,000-person complaint against the behemoth regarding the way it processes user data was found to be in violation of user's privacy.

It seems that LastPass, who is busy playing cleanup after December’s security debacle, might be throwing its hat in a ring of burning cash. In a Reddit post, user /u/nametaken_thisonetoo posted his grievances with the company, explaining the numerous ways the software holds your data hostage. The post was quickly followed up by an article on AlternativeTo where the author connected these pain points to violations of the GDPR.

Of the many grievances listed, some really standout and they all revolve around tactics that make it hard, if not impossible, for a LastPass free user to export their personal data. For instance, if you’ve dropped down to a free account, LastPass can lock you into their desktop browser offering after three switches between mobile or desktop. Once you’re locked into the desktop plugin, you may not be able to export your data because of a myriad of unanswered bugs.

LastPass forum user tombrady reported this bug on 3/21/2021 where options to export data are simply greyed out with no recourse, and there is still no solution almost ten months later. Interestingly, the forum post was marked as an "accepted solution" by LastPass staff member GlennD who said, “We are aware of this issue and will be releasing an update very soon to correct this”.

In spite of this, the forum post continues to receive complaints of their data being held hostage with no actual confirmation of the bug being fixed. There have been two posts in the last 24 hours asking why the bug still hasn’t been fixed. Meanwhile, GlennD is seemingly fixing all the reported errors by hand. The fact that this bug exists at all may be in direct violation of Article 20 of the GDPR, Right to data portability. This article explicitly states that users should have access to their data, in a ‘commonly used and machine readable format’, without distinction between paying and non-paying customer.


Staff Member
Malware Hunter
Jul 27, 2015
phone and email support are available for LastPass Premium customers, it’s not available for free customers.

This means if you’re in a situation where you don’t have access to your data because of a LastPass bug, you will have to rely on the LastPass forums, which as evidenced above, is a spotty experience that may or may not lead to a solution. By restricting phone and email support from free customers, LastPass seems to again be in violation of Article 20 of the GDPR
When or if free support is not allowed on forums actually is reported and accepted by EU as a genuine GDPR violation, I can buy it. Speculate about it is like speculate that people don't like Facebook and wish it would be gone.
Never Give Up Good Luck GIF

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.