Password manager, LastPass, is now facing a class-action lawsuit after suffering a data breach back in November 2022. Tech.co reports that an anonymous plaintiff in Massachusetts has filed a class action lawsuit claiming negligence on LastPass’ part is putting users at risk for Phishing attacks and other scams and is also a breach of contract with deceptive acts.
“This is a class action for damages against Defendant for its failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with amassive, months-long data breach that began in August 2022 (the “Data Breach”) and impacted the highly sensitive data of potentially millions of LastPass users, including Plaintiff and putative Class (defined below) members, resulting in the unauthorized public release and subsequent misuse of their names, end-user names, billing addresses, email addresses, telephone numbers, IP addresses from which customers were accessing the LastPass service, and customer vault data where certain unencrypted data was stored, including website usernames and passwords, secure notes, and form-filled data”
As a password manager, services like LastPass are extremely popular and useful for those swamped with troves of passwords who desire a more convenient means of using them but represent a gold mine for hackers. Even if a database is successfully scraped of basic info there could potentially be plenty to provide them with means of further attacks on users. However that and more seems to be the crux of this lawsuit and evidently, this is not the first time that LastPass has suffered a breach.
“However, even with this knowledge, LastPass’s lax data security measures led to the Data Breach and, as a result, Plaintiff and Class members are no longer in possession of a secure customer vault. Their Private Information is no longer hidden but is, instead, in the hands of cybercriminals who have already fraudulently misused such data.”
LastPass posted these seemingly contradictory messages on its social media page following its most recent breach in November.
LastPass customers who received a Dark Web Monitoring alert reporting that there was an OpenTable security breach can safely ignore this message. This was sent in error and was a false report.
— LastPass (@LastPass) December 2, 2022
The plaintiff claims that they had used LastPass to create their password as a means of managing their bitcoin purchases valued at roughly $53,000. They had used the LastPass password generator create a master password and to store the keys in his LastPass vault. However, upon learning about the breach in November he then discovered his keys had been stolen from the vault and proceeded to file reports with local and federal agencies. According to the 40-page court document, the breach in November 2022 was achieved using data obtained from a previous breach in August 2022. LastPass has previously also been in the news when it denied claims from users in December 2021 that their master passwords had been obtained.