A class action lawsuit has been filed in the U.S. District Court in Massachusetts, accusing LastPass of failure to secure sensitive customer data and seeking monetary relief for losses caused by recent data breaches.
LastPass is a widely used password manager, password generator, and secure vault app, offering over 30 million users and 85,000 firms an easy way to create, store, manage, and use their secrets.
On December 22, 2022, LastPass reported that an unauthorized party had accessed a cloud server in August 2022, where the software company stored backups of production data.
This unauthorized access resulted in the intruders obtaining access keys that were then used to infiltrate deeper and access storage points containing customer information.
This includes company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from where customers were accessing the LastPass service.
The company claimed that vault copies downloaded from these storage points are encrypted using 256-bit AES derived from the user’s master key, so as long as the user password is adequately strong, the AES key will be hard to decipher.
Lawsuit Allegations
The plaintiff of the class action lawsuit dismisses LastPass claims about the strength of the master key, alleging that even though he used a 12-character password, which should be adequately strong, his account was compromised by hackers on Thanksgiving 2022.
The plaintiff’s vault stored private keys associated with Bitcoin purchases that cost him roughly $53,000. As a result of its breach, the digital assets were transferred to unknown wallets under the attackers’ control.
“The plaintiff would not have given LastPass his Private Information had he known that the sensitive information collected by LastPass would be at risk of compromise and misuse due to Defendant’s negligent data security practices,” reads the complaint.
Considering all the above, the lawsuit alleges that LastPass recommended “best practices” were woefully insufficient to protect the sensitive data of its users, and that the firm’s claims about master passwords not having been breached was never verified by an independent auditor.
Hence, LastPass is accused of hiding critical information about the extent and nature of the data breach and also for attempting to shift the blame to breached users for supposedly choosing weak master passwords.
Finally, LastPass is bashed for falsely claiming that customer information wasn’t at risk in its initial disclosure of the incident in August 2022, only to reveal that extremely important data had been subjected to unauthorized access several months later, in December 2022.
This delay left customers prey to hackers who had ample time to scrutinize the stolen data and plan targeted phishing, scamming, and social engineering attacks.
The plaintiff requests the court to certify the class action and award the appropriate monetary relief to impacted LastPass customers and attorney fees and other compensatory damages.
The plaintiff is also seeking equitable relief, including an injunction against LastPass’s wrongful conduct and a requirement for them to use appropriate methods for consumer data collection, storage, and safety.
But this breach shows that what should be clear to anybody with a little bit of reason: it is stupid to store passwords in a software, and it is fantastically stupid to store passwords even online.
Interestingly many “experts” still recommend password managers as a perfect solution. I do not understand that.
Alex
It’s impossible to use a different unique password for every service. It’s best to use an offline open source password manager and just remember its master key. This is better than reusing the same password for different services
like which one?
Hi RP Community,
This is a fantastic article!
When I first heard about this Lastpass breach, after looking at the reported facts I thought nothing to see here – it’s just another breach.
I took it that Lastpass had reported promptly, the feature of having a private key stored locally would mean that accounts stored in the password manager were safe and I genuinely though that this is just the same as any other breach – that it is a password manager that has been breached, that this is not important.
This article set off my alarm bells, specifically because it involves cryptocurrency theft.
Stealing crypo via account compromise is a pronounced problem.
I read half of the plaintiff’s claim and understood about half of what I read.
I understood that it was a ‘discovery’ document but I sensed there may be more to this.
I thought this is one topic to keep watching.
It was @Ayumu Uehara’s post here and the link provided that has brought me insight into the issue at hand.
From the article @Ayumu Uehara linked to:
“it also contains unencrypted data like website URLs”
Oh My God!
I bet, I wager, anyone who has ever used the internet does not have the same unique fingerprint that my URLs stored in my password manager would provide.
I am not a statistician but I would guess it would be something like, for anyone who has more than x (guessing 20) accounts stored in a password manager would be uniquely identified with y (guessing 1-2%) certainty.
Not encrypting that data is a big fail – it is a huge fail!
It is not beyond a un-technically sophisticated cyber criminal to sift through the breached data looking for Lastpass accounts which contain URLs of crypto-exchanges, then to try to brute force those selected Lastpass accounts.
Even if the victim’s crypto-keys were not stored on the password manager, they’d (the criminals) be into the accounts (email) looking for account take over.
With these said unencrypted fields, what else is this leaked data?
Is there anything that could link the fingerprint (based on URLs) to the user’s identity?
If that would be the case, than this breach would provide an attacker a very large (encompassing maybe) attack surface.
What they’re are after is crypto.
The same anonymity crypto offers as a feature, is also I ripe target for criminals.
If it is difficult for governments to track crypto, that would mean that it would also be very difficult for police to investigate theft?
A ripe target.
GL all,
1. If you are using Lastpass, stolen vault data is safe for now according this source and Lastpass blog:
https://www.tomsguide.com/news/lastpass-hack-was-even-worse-than-originally-reported-should-you-delete-your-account
Here’s a quote from the above link:
“Fortunately, the encrypted fields in this stolen data are secured with 256-bit AES encryption and “can only be decrypted with a unique encryption key derived from each user’s master password” according to Touba.
It’s also worth noting that LastPass doesn’t know its customers’ master passwords, nor is this information stored or maintained by the company.”
2. If you still use Lastpass, maybe you should backup your data dan migrate to another password manager. If you don’t have time to backup your passwords, go for Bitwarden + browser extension.
If you have time to backup your passwords, go for KeepassXC.
3. You can check for your passwords or email breach from sites like Bitwarden Vault or Have I Been Pwned.
4. That being said, I no longer use Lastpass these days. I migrated to KeepassXC for years now. I was a fan of LastPass back in 2009 because at that time, not many websites offer SSL to store my social media passwords.
Lastpass was one of them.
how do i join ? because i was affected ? so was my grandfather him more severely . please tell me how to join the lawsuit ? with scripps i got a letter in the mail. i search online how to join this and i even got the notification from lastpasss of the data breach but see no way to join the suit
@Justin, sorry to here of your misfortune.
If I was seriously affected I would contact a law firm in my own (your own for you) juristiction and ask for advise.
Alternatively, I would contact the plaintiff’s law firm.
With a bit of googling I found these contact details at the bottom of this document.
https://www.scribd.com/document/618070795/Lastpass-Lawsuit#
GL
That’s why I preffer to use only open source, like bitwarden.
LastPass free version introduced me to the world of password managers. But it never worked well on Firefox browser. Then used free Bitwarden. Then moved to paid Sticky Password. Then finally to Dashlane Premium.