That's a highly sus statement. Firstly who says "unencrypt" and second there is a whole string of crypto hacks that had their details in Lastpass...and crucially the URLs were not encrypted so evildoers could see which accounts are worth throwing compute at

Plus the not stored by LassPass seems entirely wrong too? I can log in to their website and see my stuff...they very obviously store it

Very strange to have a regulator of databreaches get the basics so fundamentally wrong