How do I find out if my data was included in the LastPass breach?

Send a GDPR subject access request to LastPass. Under Article 15 GDPR, they must confirm whether they process your personal data and provide a copy. This is free and they must respond within one month.

Can I request LastPass delete my data after the breach?

Yes. Under Article 17 GDPR (the right to erasure), you can request that LastPass delete all personal data they hold about you. The data breach may provide additional grounds for this request.

How long does LastPass have to respond to my GDPR request?

One month from the date they receive your request. They can extend this by two further months for complex requests, but must inform you within the first month.

LastPass Data Breach — Send a GDPR Request

Q: What data was exposed in the LastPass breach?

2022 (All LastPass customers): In a two-stage attack, hackers first stole source code and technical information, then used it to access a cloud backup containing encrypted customer password vaults along with unencrypted account metadata.

2022 All LastPass customers affected

In a two-stage attack, hackers first stole source code and technical information, then used it to access a cloud backup containing encrypted customer password vaults along with unencrypted account metadata.

Data exposed:

Encrypted password vaults
Website URLs stored in vaults (unencrypted)
Email addresses
Billing addresses
Telephone numbers
IP addresses used to access LastPass
Partial credit card numbers

What you can do

LastPass held some of the most sensitive data imaginable — encrypted vaults containing all your passwords. A GDPR access request reveals what account metadata they hold, how it was secured, and what third parties it was shared with. You may also have grounds for erasure.

Generate your access request

Fill in your details below. Address the completed letter to LastPass's Data Protection Officer — find the contact details via the link above.

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

Confirmation that you are processing my personal data.
A copy of my personal data.
The purposes of the processing.
The categories of personal data concerned.
The recipients or categories of recipients to whom my personal data has been or will be disclosed.
The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
Information about the source of my personal data if it was not collected directly from me.
The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

LastPass Data Breach — Exercise Your GDPR Rights

What happened

What you can do

Generate your access request