• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
Restore Privacy

Restore Privacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

LastPass Faces Class Action Lawsuit for Lack of Security

January 6, 2023 By Heinrich Long — 8 Comments
LastPass Faces Class Action Lawsuit for Lack of Security

A class action lawsuit has been filed in the U.S. District Court in Massachusetts, accusing LastPass of failure to secure sensitive customer data and seeking monetary relief for losses caused by recent data breaches.

LastPass is a widely used password manager, password generator, and secure vault app, offering over 30 million users and 85,000 firms an easy way to create, store, manage, and use their secrets.

On December 22, 2022, LastPass reported that an unauthorized party had accessed a cloud server in August 2022, where the software company stored backups of production data.

This unauthorized access resulted in the intruders obtaining access keys that were then used to infiltrate deeper and access storage points containing customer information.

This includes company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from where customers were accessing the LastPass service.

The company claimed that vault copies downloaded from these storage points are encrypted using 256-bit AES derived from the user’s master key, so as long as the user password is adequately strong, the AES key will be hard to decipher.

Lawsuit Allegations

The plaintiff of the class action lawsuit dismisses LastPass claims about the strength of the master key, alleging that even though he used a 12-character password, which should be adequately strong, his account was compromised by hackers on Thanksgiving 2022.

The plaintiff’s vault stored private keys associated with Bitcoin purchases that cost him roughly $53,000. As a result of its breach, the digital assets were transferred to unknown wallets under the attackers’ control.

“The plaintiff would not have given LastPass his Private Information had he known that the sensitive information collected by LastPass would be at risk of compromise and misuse due to Defendant’s negligent data security practices,” reads the complaint.

Considering all the above, the lawsuit alleges that LastPass recommended “best practices” were woefully insufficient to protect the sensitive data of its users, and that the firm’s claims about master passwords not having been breached was never verified by an independent auditor.

Hence, LastPass is accused of hiding critical information about the extent and nature of the data breach and also for attempting to shift the blame to breached users for supposedly choosing weak master passwords.

Finally, LastPass is bashed for falsely claiming that customer information wasn’t at risk in its initial disclosure of the incident in August 2022, only to reveal that extremely important data had been subjected to unauthorized access several months later, in December 2022.

This delay left customers prey to hackers who had ample time to scrutinize the stolen data and plan targeted phishing, scamming, and social engineering attacks.

The plaintiff requests the court to certify the class action and award the appropriate monetary relief to impacted LastPass customers and attorney fees and other compensatory damages.

The plaintiff is also seeking equitable relief, including an injunction against LastPass’s wrongful conduct and a requirement for them to use appropriate methods for consumer data collection, storage, and safety.

About Heinrich Long

Heinrich is an associate editor for RestorePrivacy and veteran expert in the digital privacy field. He was born in a small town in the Midwest (USA) before setting sail for offshore destinations. Although he long chafed at the global loss of online privacy, after Edward Snowden’s revelations in 2013, Heinrich realized it was time to join the good fight for digital privacy rights. Heinrich enjoys traveling the world, while also keeping his location and digital tracks covered.

Reader Interactions

Comments

  1. Alex

    January 23, 2023

    But this breach shows that what should be clear to anybody with a little bit of reason: it is stupid to store passwords in a software, and it is fantastically stupid to store passwords even online.
    Interestingly many “experts” still recommend password managers as a perfect solution. I do not understand that.

    Alex

    Reply
    • cche

      January 27, 2023

      It’s impossible to use a different unique password for every service. It’s best to use an offline open source password manager and just remember its master key. This is better than reusing the same password for different services

      Reply
  2. BoBeX

    January 13, 2023

    Hi RP Community,

    This is a fantastic article!

    When I first heard about this Lastpass breach, after looking at the reported facts I thought nothing to see here – it’s just another breach.
    I took it that Lastpass had reported promptly, the feature of having a private key stored locally would mean that accounts stored in the password manager were safe and I genuinely though that this is just the same as any other breach – that it is a password manager that has been breached, that this is not important.

    This article set off my alarm bells, specifically because it involves cryptocurrency theft.
    Stealing crypo via account compromise is a pronounced problem.
    I read half of the plaintiff’s claim and understood about half of what I read.
    I understood that it was a ‘discovery’ document but I sensed there may be more to this.
    I thought this is one topic to keep watching.

    It was @Ayumu Uehara’s post here and the link provided that has brought me insight into the issue at hand.
    From the article @Ayumu Uehara linked to:
    “it also contains unencrypted data like website URLs”
    Oh My God!

    I bet, I wager, anyone who has ever used the internet does not have the same unique fingerprint that my URLs stored in my password manager would provide.
    I am not a statistician but I would guess it would be something like, for anyone who has more than x (guessing 20) accounts stored in a password manager would be uniquely identified with y (guessing 1-2%) certainty.
    Not encrypting that data is a big fail – it is a huge fail!

    It is not beyond a un-technically sophisticated cyber criminal to sift through the breached data looking for Lastpass accounts which contain URLs of crypto-exchanges, then to try to brute force those selected Lastpass accounts.
    Even if the victim’s crypto-keys were not stored on the password manager, they’d (the criminals) be into the accounts (email) looking for account take over.

    With these said unencrypted fields, what else is this leaked data?
    Is there anything that could link the fingerprint (based on URLs) to the user’s identity?
    If that would be the case, than this breach would provide an attacker a very large (encompassing maybe) attack surface.

    What they’re are after is crypto.
    The same anonymity crypto offers as a feature, is also I ripe target for criminals.
    If it is difficult for governments to track crypto, that would mean that it would also be very difficult for police to investigate theft?
    A ripe target.

    GL all,

    Reply
  3. Ayumu Uehara

    January 10, 2023

    1. If you are using Lastpass, stolen vault data is safe for now according this source and Lastpass blog:
    https://www.tomsguide.com/news/lastpass-hack-was-even-worse-than-originally-reported-should-you-delete-your-account

    Here’s a quote from the above link:
    “Fortunately, the encrypted fields in this stolen data are secured with 256-bit AES encryption and “can only be decrypted with a unique encryption key derived from each user’s master password” according to Touba.
    It’s also worth noting that LastPass doesn’t know its customers’ master passwords, nor is this information stored or maintained by the company.”

    2. If you still use Lastpass, maybe you should backup your data dan migrate to another password manager. If you don’t have time to backup your passwords, go for Bitwarden + browser extension.
    If you have time to backup your passwords, go for KeepassXC.

    3. You can check for your passwords or email breach from sites like Bitwarden Vault or Have I Been Pwned.

    4. That being said, I no longer use Lastpass these days. I migrated to KeepassXC for years now. I was a fan of LastPass back in 2009 because at that time, not many websites offer SSL to store my social media passwords.
    Lastpass was one of them.

    Reply
  4. justin

    January 10, 2023

    how do i join ? because i was affected ? so was my grandfather him more severely . please tell me how to join the lawsuit ? with scripps i got a letter in the mail. i search online how to join this and i even got the notification from lastpasss of the data breach but see no way to join the suit

    Reply
    • BoBeX

      January 10, 2023

      @Justin, sorry to here of your misfortune.
      If I was seriously affected I would contact a law firm in my own (your own for you) juristiction and ask for advise.
      Alternatively, I would contact the plaintiff’s law firm.
      With a bit of googling I found these contact details at the bottom of this document.
      https://www.scribd.com/document/618070795/Lastpass-Lawsuit#
      GL

      Reply
  5. John

    January 7, 2023

    That’s why I preffer to use only open source, like bitwarden.

    Reply
    • Intergalatic Doggy 🐶

      January 10, 2023

      LastPass free version introduced me to the world of password managers. But it never worked well on Firefox browser. Then used free Bitwarden. Then moved to paid Sticky Password. Then finally to Dashlane Premium.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browsers
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN (68% Off Coupon) or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

Restore Privacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

Restore Privacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP