Lastpass locked us out of our shared password database and want $750

20 points by what-imright ↗ HN
Lastpass has locked us from exporting our company’s shared password database unless we pay them for another 6 month subscription ($750). We can’t even discuss this with support because they refuse to email, chat or call with us (they have no listed number) until we pay. They’re holding our own passwords as a ransom against us. HN what should we do?

46 comments

[ 4.8 ms ] story [ 62.6 ms ] thread
I would presume that you were seeking to export passwords at the end of an existing subscription, and, maybe, you waited a little too long?

Anyway, clicking on About Us takes one to the website for GoTo, who have a phone number on the top right. Maybe you want to try calling that number (1 866 890 8931) and seeing if you can get some help by speaking to a person there?

Great business model! ;(
Small claims court. Why is this so hard?
It's iffy and it would take a few months to resolve plus company time and resources. It sucks but it's way easier to pay the $750 and they know it.
No, you pay the $750, export your data, then sue them to get your money back. In order to win you have to prove that you were damaged, and the easiest way to prove it is to present a receipt. Yes, filing the case costs a little money, and then you have to waste a day of your time at the courthouse, but afterwards you will have your money back, including court costs. Most importantly, however, is that the sting of it might actually get them to change their behavior.

The ideal outcome would be that they don’t appear in court, you get a default judgement, they ignore your written request to pay it, and then you visit their office with a sheriff and a local reporter or two to either get them to write a check or to seize some furniture. How many times do you think the CEO would be willing to read those news stories (and risk losing his own office furniture, because obviously you would start there) before they decide to let people sign into their expired accounts to export their passwords?

It’s not really about the money, it’s about forcing them to do the right thing.

I think it shows that they’re aware their business model will fail soon to free and open source options, so they’re milking their remaining customers. Burning your users like this is a one way function
True, you have to show damages before you can sue. I see your point but it's still a pain to deal with. Hard to be a crusader.
They'd lose because they have no case.

I do not recommend anyone ever use lastpass or 1password, so I am absolutely no fan or apologist, but this is not a case of them doing anything wrong.

This story doesn't deserve any attention at all.

I want to side with both here, personally that sucks, professionally, what’s happening over there? Paying the bill shouldn’t be a second thought, understanding how it got to that point afterwards is what’s important. That company can’t be held liable for establishing a boundary that there is valuable material in storage they pay for that you happen to rent from them. This post oozes of superficiality and I absolutely loath[e] LastPass, but in this case, I’m on their side. But yeah, that sucks!
What’s outrageous is how they only hold 30 shared passwords but somehow billed us $1500 a year to use a browser plugin to serve 20 kilobytes of data to 12 people.
You choose to use Laspass rather than any of the free solutions because of its ease. Your problem is you gave 30 critical pieces of information to a third-party without any backup solution.
Yes, it is our fault for trusting them ultimately. Agreed
I'm not quite sure I understand, isn't there a written contract you sign that states exactly what you get for N amount of money? Paying extra because of insufficient planning sucks, but is the price of such luxury.

Think of the bright side; it's a good thing this bit your company at this early stage and not with half a million dollar contracts.

This is honestly a tough thing with other cloud-based solutions aswell. Backing up your data from say AWS isn't difficult _per se_, it's just made prohibitively expensive to export any serious amount of data
"What's outrageous is how they do exactly what they said they would for the price we accepted." What did you expect from them?

The refusal to provide access without renewal is scummy, but this complaint is silly.

It’s your data, you should be allowed to export it whenever you want, expired account or not. At least, it is mandatory under GDPR.
As the service provider, you should be able to simply delete the data the moment it's resources are no longer being paid for.

It's also reasonable logic to hold any property hostage that has an outstanding dept associated with it. That's just a lein and is a common legal process. This is different from simply "account is no longer active"

So, it's not so cut and dried and obvious. Like a lot of things, if it's obvious and simple it's probably also incorrect or at least incomplete.

I'd say they should be either deleting the data OR allow export of the data as of the last time the account was current if they retained it, not retaining it and then holding it hostage. That is essentially using someone else's property for your own purposes.

In this state it's a form of threat that I'm not sure would pass a good thorough legal exam8nation.

Consider, they are holding something of yours which places you at risk where they might get hacked and leak your passwords, or they might even sell them to someone else who you never approved of, all while you are no longer consenting to their posession of this material. The entire company, meaning all assets, meaning your data, being sold to someone else absolutely qualifies, and has even already happened. That threat is at least a little bit like a gangsters protection payment then a legit lein.

I think this means that really the law of the land should be that they are obligated to delete anything that isn't current (covered by an active account or contract), with only some well defined and not-forever grace period to cover mishaps.

Being able to export data out from any service should be independent of the subscription status for any product IMO.

It becomes even more crucial for services like password managers.

If you think you can win, yeah small claims court is where to go. You don't need a lawyer for it I don't think, and many places they won't allow the other side to have a lawyer either. I don't know how it would work with Lastpass though, since it's a company, and I don't know how that works in small claims court as most times those are just between people (like renters and landlords). Since it's <$5000 I think small claims court is the only place you can go? It takes more money to end up in a larger court, like if you had damages and asked for $1m.

It seems pretty shitty, but if you missed your deadline and the contract says that you can't get to it, then you can't get to it. But fight it anyway. I wouldn't call it a ransom though, they're asking for payment, and they may be right or not, depending on the terms.

Good luck.

Pay, export, chargeback, and tell them that they can discuss this with your support department if they don't like it. (But don't give them the contact details, obviously.)

I recommend Bitwarden by the way.

I hope that you manage to solve the situation soon. Once you do, please consider self-hosting Bitwarden. A password manager is a simple product that anybody can self-host: don't pay LastPass money to manage your passwords and them hold them in ransom.
pay them then get out of the product.

you dont have any other answer that would be anywhere near as close to a win.

Migrate to Keepass and a private cloud share, like Nextcloud. Do not ever rely on proprietary solutions for key infrastructure.
I’ve actually setup KeePassXC with the database file on a Syncthing share and it works perfectly. In fact it’s simpler than Lastpass their GUI is a mess, and more secure, and auto backups and works with every browser and updates in realtime. But I need those passwords to free us from Lastpass.
Can't you switch to a different plan (i.e. a team of one user), export the data and get the hell out of there?

Still a few dollars wasted, but $5-10 is much better than $750.

This doesn't sound like Ransom.

It sounds like you misunderstood your contract; you only have access while you have a subscription.

Was this fact not made clear when you took the subscription? Because if this wasn't a condition when you bought the subscription (it was only added on after you paid) then you have some legal remedies.

If it was a condition when you subscribed, then you cannot really complain, can you? You saw the conditions, you agreed to them, and now you want to retroactively withdraw your agreement.

Really? Do you read the 40 page small print for any service you use? On every cloud service it says we can do whatever we want without liability, then establishes you can’t sue - arbitration only and then says take it or leave it
Isn’t it baked into the concept of a subscription service that you can only use it while you have an active subscription?

I don’t think that’s fine print.

> Really? Do you read the 40 page small print for any service you use? On every cloud service it says we can do whatever we want without liability, then establishes you can’t sue - arbitration only and then says take it or leave it

Yes, really! It's called contracts - don't sign it until you read it[1]. The whole point behind a subscription is that you only get to enjoy the product while you are subscribed. I very much doubt that the fine-print said anything along the lines of "some functionality is available after subscription ends".

Now let's be fair, you work for a company. Presumably, your company makes money by selling its products.

Do you really think it is reasonable that someone who purchased your product, and who agreed to the terms of purchase (price, warrantee, etc) should be able to later retroactively withdraw their agreement?

Did you actually put something like that - "Customer is free to change their mind any time after purchase and we will agree to continue providing service and/or product" - into your purchase agreement?

Do you allow your ex-customers to get more product for free because at some time in the past they were customers?

In all other business dealings, do you expect to make the other party whole just because the other party felt that it was too onerous to read the contract you provided?

If you feel that people should not be held to the contracts they signed, why bother making them sign?

I feel for you, but this is all self-inflicted; agreeing to something and then complaining that the other party is adhering to the terms of the agreement is a a very unprofessional way to behave.

[1] I don't think you were given a 40 page contract to peruse; this is the actual contract you agreed to : https://www.lastpass.com/legal-center/terms-of-service/busin.... It's 12 pages of large font. The section about Fees, billing, etc is on the SECOND page, with an extra large heading of "Orders, Fees and Payment".

It doesn’t change what they’re obviously trying to do. They haven’t deleted the user data, as you would expect perhaps from that contract spiel ^ but instead hold it as a reward for resubscribing. Holding the company's ability to operate for ransom. That’s so underhanded I don’t have the words. Actually I do - Lastpass is a form of ransomware, except that you pay them before they lock you out of your data as well. By definition, that’s what they’re doing. Show me that in their stupid contract

I mean sure they slipped us a contract too long to read on a busy day, Ok, but that they’re now bending their customer over is still cause for alarm. Just because their contract says they can get away with it doesn’t mean they aren’t scum for doing it to a customer that gave them a pile of money for a simple convenience service.

I mean their whole pitch is based around them being trustworthy. They’re just waiting to stab you in the back.

Dear Mr. what-imright, I'm sorry, but this time you're what-imwrong.

.

You chose the provider. (when there were others)

You chose the service profile. (when you could have done otherwise)

You chose to under-utilize a costly service. (not their fault if you have only 30 passwords)

You fucked it up by letting the service expire. (You had all the time to prepare)

You didn't do any backups. (what's it? Five minutes, manually, on a single post-it?)

*You* have a very strange idea of what a service is. (not them)

You apparently didn't even bother reading the first two pages of the contract. (or anything else.)

You don't want to renew... (someone said: "pay up or shut up" and they're right.)

.

*You* did it all, and now you're blaming them???

Not Cool man, Not Cool.

These read like paid reviews. Something off with these comments.
> These read like paid reviews.

You think all of these people, with comment histories going back years, are suddenly all on your providers payroll?

> Something off with these comments.

Nothing is off with the comments, you're trying to convince all of us that you should continue getting service after your subscription ends. You're being very unprofessional by demanding free service, and then accusing people who point out this fact as paid shills.

I asked earlier if your company continues giving away product to ex-customers, and you haven't answered yet.

Do you give away product for free to ex-customers? I wanna know if you do, so that I know where I can signup, pay once, end the subscription and still get your service for free.

C'mon - you've thrown some accusations around here, you may as well answer the question.

I'll bet there's a service running to protect brands from the lens of HN. They'll pay a monthly fee, and fake users with enough karma flag out unflattering stories.

Something is very off here. Where's dang when you need him?

> Ok let me answer your stupid sponsored rhetorical question, on the off chance you aren't a shill. And you are a shill.

> Something is very off here. Where's dang when you need him?

You're repeatedly making very serious accusations here, especially serious as you can see from my open comment history that I am not shilling. Are you sure you want Dang to join the conversation[1]?

I think if you post enough mentioning @dang, he might show up. I don't know if that works though - you can try.

Ok let me answer your stupid sponsored rhetorical question, on the off chance you aren't a shill. And you are a shill.

Yes, if the contract states on termination no access to a cloud resource, that's the deal. Technically they're within the rules they laid out and we agreed to, except that they held onto data they do not own after termination.

There are two issues. First, this is a trust me story. A company that pulls this trick can do it one single time. We will never pay them another cent, and will tell everyone that will listen exactly what they did. Their contract has a clause to fuck the customer, and they use it. Lastpass are done, and they know it. This is a "fuck the last standing customer" clause to milk what's left of a resold company with a collapsing user base and a broken outdated business model.

Second, they kept our companies sensitive secret and essential-for-operations data and refuse to give us a copy unless we pay the resubscription fee (ransom). That's a state where a terminated contract leaves them with secret customer data, and now they want a payoff. Their contract doesn't excuse them from breaking the law. That data should've been deleted, if not, it has to be accessible by law to the owner. It's Right of Access.

> Yes, if the contract states on termination no access to a cloud resource, that's the deal. Technically they're within the rules they laid out and we agreed to, except that they held onto data they do not own after termination.

You are not answering the question, which is "Does your company provide service to ex-customers?"

Does it?

*YES* it does. If we’ve taken their money in the past we’ll certainly help them, even if they’re migrating to another platform. Good business also means closing a relationship well. Then there’s an opportunity for future business, and even if they decide not to return, the personal relationships are of the highest value. You can’t see the forest for the trees. Wealth is not just about money. Successful long term strategies rest squarely on your ability to maintain relationships.
Iportantly, this is not callous victim-blaming based on some legal technicality either.

The terms and the outcome are actually perfectly reasonable and expected, not some crazy unsuspected gotcha buried in fine print to ensnare hapless victims.

This is not actually a case of "You didn't read 40 pages of deliberately inscrutable legal triple-speak and so it's 100% your fault and not at all the author of the deliberately inscrutable contract."

The the outcome here is exactly in line with a surface layman understanding of the terms without reading them in detail. No way would they be able to show any sort of misrepresentation.

(comment deleted)
I'm a journalist and I would like to know more. Please email me at bray@globe.com. Thanks.

Hiawatha Bray Boston Globe

Wow, does this ever sound familiar! We just went through something very similar, and getting in touch with someone capable of providing assistance is nearly impossible. Took us three weeks of constant emailing and calling to finally get our situation squared away (and we were simply trying to renew!!)
Passwords are data and data needs to be backed up.

So here we have someone who doesn't keep backups, who didn't read the contract, and who didn't keep track of the subscription expiration date complaining about a completely self inflicted problem.