LastPass sued over “woefully insufficient” security


A class action lawsuit against LastPass was put forward following two data breaches the company suffered last year.

Someone has filed a petition for a lawsuit against the password management service provider LastPass. The plaintiff alleges that the company’s “data security failures” led to two data breaches last year.

In August 2022, attackers accessed LastPass’ development environment, source code, and technical information through an internal account.

ADVERTISEMENT

Three months later, it was later revealed that threat actors succeeded in exploiting the information obtained in August to access a third-party cloud-based storage service and “copy a backup of customer vault data.”

The lawsuit alleges that LastPass mishandled the August data breach, understating the attack’s impact, which resulted in the December breach, potentially exposing sensitive user data.

“Defendant’s disclosure, in addition to being unreasonably delayed, has been woefully inadequate and directly contributed to the damages suffered by Plaintiff and the Class thus far,” states the complaint.

One of the parties behind the lawsuit, an individual from the state of Pennsylvania, claims he lost $53k worth of Bitcoin due to a compromised password that was stored on the LastPass customer vault.

The individual claims he deleted his private information from the company’s vault after learning about the breach in August. However, around the Thanksgiving weekend of 2022, his Bitcoin was stolen.

The lawsuit also questions the accuracy of LastPass’ claims that neither breach resulted in the loss of user master passwords, keys used to protect vaults with customer passwords.

“Not only has this statement not been verified through discovery, but it is also a shameless attempt by LastPass to shift the blame of the Data Breach’s resulting negative impact on Plaintiff and Class members,” reads the complaint.

ADVERTISEMENT

LastPass claims that over 33 million people use the service and boasts around 100k business accounts. The company is headquartered in the US.