Home Just In LastPass Hit with Class-Action Lawsuit After Password Vault Breach

LastPass Hit with Class-Action Lawsuit After Password Vault Breach

by CIOAXIS Bureau

Former LastPass customer says $53,000 in bitcoin was stolen from him as a result of password manager’s data breach

LastPass is facing a class-action lawsuit filed by a former customer who says a hacker stole tens of thousands in Bitcoin from him as a result of one of the password manager’s multiple data breaches last year.

The complaint filed in the U.S. District Court of Massachusetts accuses LastPass of failing to “exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach that began in August” and impacted “potentially millions” of customers.

LastPass acknowledged in late August last year that “an unauthorized party gained access to portions” of its network through a developer’s compromised account, and determined at the time that no customer data or encrypted password vaults were accessed by the hacker.

The company then admitted a second breach in late November, saying someone used information accessed in the August hack to “gain access to certain elements of our customers’ information.” LastPass insisted users’ passwords remained safely encrypted at that time.

But the unnamed plaintiff claims in the suit filed Tuesday that around Thanksgiving weekend of 2022, roughly $53,000 worth of bitcoin was stolen from him by someone who used the private keys he had stored on LastPass for accessing the cryptocurrency.

The lawsuit is asking that LastPass be forced to disclose specifically all the types of private information that were compromised during the breach and, among other things, to pay compensatory damages and restitution for failing to keep customers’ data secure.

In the company’s latest blog update on Dec. 22 regarding the security incidents, LastPass CEO Karim Toubba acknowledged that a “threat actor” had copied a backup of customer vault data that included “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-milled data.”

Toubba emphasized in the post last month that “these encrypted fields remain secured.”

– Fox Business

Recommended for You

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Close Read More

See Ads