the password manager
American LastPass
, which would have been the victim of a cyberattack recently, is also accused of possible breaches of the GDPR.
On Reddit
, a user dissatisfied with LastPass’s pricing policy conducted his little investigation and denounced, in an article taken up by certain American media, the way in which the software would hold the data of its users ” Held hostage “. It brings up numerous grievances against LastPass when it comes to personal data, even stating that the password manager would violate the General Data Protection Regulation (GDPR).
A blocking of the export of passwords which would push to use the paid version of LastPass
The user nametaken_thisonetoo accuses LastPass, with arguments in support, of implementing a whole strategy aimed at preventing users wishing to leave the tool from exporting their bank of passwords to recover them, under the pretext that they are using a manager free version. Except that these passwords are equivalent here to personal data.
On the r/software subreddit, the user explains that the export function automatically crashes after three switches between the desktop version of LastPass and the mobile version, thus preventing those whose account is locked on mobile from export their data. The blocking would actually be effective regardless of the version of the manager (desktop, mobile or browser).
This practice, if proven, would then amount to pushing the user to subscribe to the paid LastPass offer in order to be able to export their passwords, which is contrary, according to the Internet user, to Article 20 of the GDPR, which recognizes the right to data portability. This article provides that a user is entitled to receive personal data concerning him ” in a structured, commonly used and machine-readable format (CSV for example), without the data controller to whom the data has been communicated (namely LastPass), obstructing it.
Repeated problems for LastPass
This data export bug (voluntary or not) was already reported for the first time, on March 21, 2021. A LastPass employee then indicated that a future update would correct the defect, except that this one is still being done. wait, ten months later. And the complaints begin to multiply, which has, as you will see, the merit of making things happen.
Communication between LastPass and its users is in any case complicated, with some denouncing the lack of a support channel dedicated to this type of problem, which forces users to “ create a separate account to access community forums where one can post about how LastPass is illegally holding your data hostage, hoping someone from the company will respond “, adds the surfer nametaken_thisonetoo.
Fortunately, LastPass reacted and ended up unblocking the situation, if the user is to be believed. He was finally able, in a few minutes, to download a CSV file of his passwords. For these breaches, LastPass is not immune to being sanctioned in Europe, where the GDPR provides for a fine of up to 20 million euros, or up to 4% of the worldwide turnover of the company. An outcome which nevertheless seems very unlikely to us.
LastPass seems to be going through a tumultuous time. The password manager, easy to use and compatible with Windows and MacOS, was recently the victim of a computer attack, which resulted in the sending of e-mails to some of its users, telling them that they had records of attempts to access their account using their master password. These attempts were blocked by LastPass, which ruled out the data leak, but said it found an error in its security systems.
On the same subject :
LastPass: Users Report Suspicious Activity on Their Accounts
Sources: Reddit
, LogMeIncommunity
7