A class action lawsuit has been filed in the U.S. District Court in Massachusetts, accusing LastPass of failure to secure sensitive customer data and seeking monetary relief for losses caused by recent data breaches.
LastPass is a widely used password manager, password generator, and secure vault app, offering over 30 million users and 85,000 firms an easy way to create, store, manage, and use their secrets.
On December 22, 2022, LastPass reported that an unauthorized party had accessed a cloud server in August 2022, where the software company stored backups of production data.
This unauthorized access resulted in the intruders obtaining access keys that were then used to infiltrate deeper and access storage points containing customer information.
This includes company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from where customers were accessing the LastPass service.
The company claimed that vault copies downloaded from these storage points are encrypted using 256-bit AES derived from the user’s master key, so as long as the user password is adequately strong, the AES key will be hard to decipher.
The plaintiff of the class action lawsuit dismisses LastPass claims about the strength of the master key, alleging that even though he used a 12-character password, which should be adequately strong, his account was compromised by hackers on Thanksgiving 2022.
The plaintiff’s vault stored private keys associated with Bitcoin purchases that cost him roughly $53,000. As a result of its breach, the digital assets were transferred to unknown wallets under the attackers’ control.
“The plaintiff would not have given LastPass his Private Information had he known that the sensitive information collected by LastPass would be at risk of compromise and misuse due to Defendant’s negligent data security practices,” reads the complaint.
Considering all the above, the lawsuit alleges that LastPass recommended “best practices” were woefully insufficient to protect the sensitive data of its users, and that the firm’s claims about master passwords not having been breached was never verified by an independent auditor.
Hence, LastPass is accused of hiding critical information about the extent and nature of the data breach and also for attempting to shift the blame to breached users for supposedly choosing weak master passwords.
Finally, LastPass is bashed for falsely claiming that customer information wasn’t at risk in its initial disclosure of the incident in August 2022, only to reveal that extremely important data had been subjected to unauthorized access several months later, in December 2022.
This delay left customers prey to hackers who had ample time to scrutinize the stolen data and plan targeted phishing, scamming, and social engineering attacks.
The plaintiff requests the court to certify the class action and award the appropriate monetary relief to impacted LastPass customers and attorney fees and other compensatory damages.
The plaintiff is also seeking equitable relief, including an injunction against LastPass’s wrongful conduct and a requirement for them to use appropriate methods for consumer data collection, storage, and safety.