The 2022 breach revealed unencrypted vault metadata including website URLs, form field names, and email addresses. Zero-knowledge means the provider can't see ANY user data, but LastPass stored significant user data in plaintext. The stolen vault backups also included unencrypted company names and end-user names.

By default, Google Password Manager uses server-side encryption where Google holds the encryption keys. This means Google can technically read your passwords. 'On-device encryption' is available but opt-in and buried in settings. Most of the 3+ billion Chrome users are on the default setting where Google has access.

iCloud Keychain syncs passwords via iCloud. Without Advanced Data Protection (ADP) enabled, iCloud backups — which contain Keychain data — are encrypted with keys Apple holds. Apple can and does provide this data to law enforcement. In H1 2024, Apple received 12,812 US account data requests and complied with the majority.

Dashlane Inc. is incorporated in New York, USA — subject to the CLOUD Act, which compels US companies to provide data to law enforcement regardless of where the data is stored. While vault contents are encrypted, account metadata (registration info, IP addresses, device IDs, login timestamps) is accessible to Dashlane and therefore to US authorities via legal process.

1Password added telemetry in 2023 that collects usage data including unlock events, item creation, onboarding completion, device type, and account metadata. For business accounts, telemetry is ON by default and individual employees cannot opt out — only account owners can disable it.