Thank You for Your Feedback
We appreciate all our users who reached out with questions, concerns, and requests for more information about the new message displayed after updating the Firefox browser extension.
At LastPass, transparency is essential. We want to clearly explain that this message is related to Firefox’s updated requirements. These changes ensure extensions disclose what information they need to access, collect, or process in order to function properly. This is not a new data collection practice by LastPass it’s about meeting Firefox’s standards for clarity and user trust.
Mozilla’sadd-on policiesrequire extension developers to inform users of the personal data that an extension collects or transmits as part of its functionality.
"More information regarding Firefox requirements here"
Announcing data collection consent changes for new Firefox extensions
As of November 3rd 2025, all new Firefox extensions will be required to specify if they collect or transmit personal data in their manifest.json file using the browser_specific_settings.gecko.data_collection_permissions key. This will apply to new extensions only, and not new versions of existing extensions. Extensions that do not collect or transmit any personal data are required to specify this by setting the none required data collection permission in this property.
"More information here"
Firefox Extensions and Data Transparency
Firefox requires all extensions to declare the types of data they may access even if that data is only processed locally on your device. This is not a new data collection practice. Instead, Mozilla has recently updated its privacy policy requirements for extensions. Developers must now clearly label all categories of data their extensions can process, ensuring greater transparency for users.
Your Privacy Comes First at LastPass
We believe in full transparency about how your data is handled. If we ever collect or transmit personal information, you’ll know about it. For example, when you save form fills in your vault, that data is securely stored, and when you use autofill, the extension transmits it only to the site you choose.
LastPass requests access to websites and browsing activity exclusively to identify login pages and match the correct credentials, this prevents accidental autofill's on the wrong forms. Authentication checks are limited to confirming your account status or vault session; they never involve your passwords or master password.
Your location is determined solely from your IP address and is limited to an approximate region. We never store or view payment details; all transactions are processed securely by trusted third-party providers.
Your security and privacy are our top priority always.
All passwords in your vault are encrypted using zero-knowledge encryption
Always here to help!
Greetings!
Verlaine | Customer Care
Hello Verlaine,
These (3rd part under Permissions and data at https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/):
Required data collection, according to the developer:
When updating the extension it specifically mentions that these are new
Hello! @tim44
Welcome to the LastPass Community.
Could you please provide more details about the data collection you are talking about?
Please let me know if you need additional help.
They might be limited by available options: https://extensionworkshop.com/documentation/develop/firefox-builtin-data-consent/#taxonomy - the granularity is quite coarse.
original poster here, got the same promt as the screenshot indeed, Windows here.
Just got this too on FireFox on Windows, seems like quite a broad need that feels quite intrusive, especially since I can't find any information on why it's like this now, no patch notes or announcements regarding this can make it seem like a bad actor has pushed a false update to steal login information and other data.
The only patch note does not even mention FireFox as a target, however it also only says:
Which I wont consider as something that would need to know all this other data collection stuff?
Until its properly addressed and I can be sure this is actually a real update from LastPass and not a bad actor trying to steal data, I will not approve of those new permissions.
Verlaine -
If you are a LastPass employee, you really ought to know about this. The latest LastPass update is now showing up (at least on Firefox on a Mac) with a frankly alarming list of "new required data collection." See the image the previous responder posted. If this is true (you're going to start collecting financial, payment, personally identifying, information ... I'm going to drop LastPass immediately.
Please follow up on this immediately and get back to us ... my first reaction is "this can't really be true", but if it is, bye-bye LastPass.
To reproduce, install LastPass for Firefox 4.149.3, then update to 4.150.0
> Could you please provide more details about the data collection you are talking about?
Here is the prompt Firefox started to show:
I thought that it is related to the new Firefox policy, but it explicitly does not apply to updates.
I've received a reply for support case:
-- Begin quote --
I can confirm that this is a legitimate and expected update request for the LastPass browser extension. When an extension update includes changes to required permissions, the browser (such as Chrome, Edge, or Firefox) will automatically display a message like the one you received. This is a standard security measure from the browser, not an indication of anything unsafe.
Should you click “Update”?
Yes — updating is safe and recommended. The update will simply move you from version 4.149.3 to 4.150.0, and the extension will continue to function normally.
Why does the prompt list data categories?
Browsers require developers to disclose the types of data an extension may access in order to perform its functions. For a password manager, this includes categories such as:
It’s important to note that this does not mean LastPass is collecting or transmitting all of this data at all times. These permissions simply allow the extension to perform the functions you expect from a password manager.
-- End quote --
Well, assuming you didn't change anything on the quote (it's an quote after all), he's talking about permissions, those were already there and those aren't the ones mentioned in the message. The required data collection, which is the new one, is mentioned apart from those permissions, and it even says "according to the developer" after it. And about his last part, that's how permissions work. Data collecting means data collecting. If they don't do it at all times, how do they know when to do it?
Thanks for posting your support case reply. That makes sense and is very helpful. It seems like what we are seeing is browser "boilerplate", rather than anything specific from LastPass. Nevertheless, if LastPass is making changes to their permissions handling, I think we ought to be told the specifics. It would be great if you could follow up with your support case to see if you can get the specifics.
Yeah - so this may be the last straw for me as a LP customer. There is NO REASON LastPass needs to have all of this data. The worst of all is the access to financial and payment information. LastPass leaders (if you are reading this) did you not learn anything from your data breach a few years ago? You only collect what is a ABSOLUTELY needed - not all this extra data. DUMB DUMB DUMB.
I was already feeling unsafe after the last few data breaches, but this is a step too far. I've been a paying customer for over 10 years now, and their service has been steadily declining to a point where I can no longer trust that my data is safe nor that my money is well spent.
@Verlaine Escalante
You said: "This will apply to new extensions only, and not new versions of existing extensions. Extensions that do not collect or transmit any personal data are required to specify this by setting the none required data collection permission in this property."
So, the LastPass Firefox extension is new? What were we using before?
Hi, @Steve Taylor
The LastPass app version is new, and has been updated to comply with Firefox's new data security / transparency requirements.
Most of the data points referenced are only used by LastPass within the browser itself, and are not "collected" or "stored" anywhere on LastPass servers.
I'd like to take this opportunity to remind everyone that LastPass uses a zero-knowledge policy, where your Vault data is complete encrypted and not visible to anyone but you. Other data like location / IP address' are kept for a period of 90 days in order to verify your identity for security purposes.
Thanks for your answer, although I'll still be skeptic, but I guess you'll never know these things for sure on the internet. Just saying, I've this saved in case it turns out to be false, hope you understand that.
