
Password manager, LastPass, is now facing a class-action lawsuit after suffering a data breach back in November 2022. Tech.co reports that an anonymous plaintiff in Massachusetts has filed a class action lawsuit claiming negligence on LastPass’ part is putting users at risk for Phishing attacks and other scams and is also a breach of contract with deceptive acts.
“This is a class action for damages against Defendant for its failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with amassive, months-long data breach that began in August 2022 (the “Data Breach”) and impacted the highly sensitive data of potentially millions of LastPass users, including Plaintiff and putative Class (defined below) members, resulting in the unauthorized public release and subsequent misuse of their names, end-user names, billing addresses, email addresses, telephone numbers, IP addresses from which customers were accessing the LastPass service, and customer vault data where certain unencrypted data was stored, including website usernames and passwords, secure notes, and form-filled data”

As a password manager, services like LastPass are extremely popular and useful for those swamped with troves of passwords who desire a more convenient means of using them but represent a gold mine for hackers. Even if a database is successfully scraped of basic info there could potentially be plenty to provide them with means of further attacks on users. However that and more seems to be the crux of this lawsuit and evidently, this is not the first time that LastPass has suffered a breach.
“However, even with this knowledge, LastPass’s lax data security measures led to the Data Breach and, as a result, Plaintiff and Class members are no longer in possession of a secure customer vault. Their Private Information is no longer hidden but is, instead, in the hands of cybercriminals who have already fraudulently misused such data.”
LastPass posted these seemingly contradictory messages on its social media page following its most recent breach in November.
LastPass customers who received a Dark Web Monitoring alert reporting that there was an OpenTable security breach can safely ignore this message. This was sent in error and was a false report.
— LastPass (@LastPass) December 2, 2022
The plaintiff claims that they had used LastPass to create their password as a means of managing their bitcoin purchases valued at roughly $53,000. They had used the LastPass password generator create a master password and to store the keys in his LastPass vault. However, upon learning about the breach in November he then discovered his keys had been stolen from the vault and proceeded to file reports with local and federal agencies. According to the 40-page court document, the breach in November 2022 was achieved using data obtained from a previous breach in August 2022. LastPass has previously also been in the news when it denied claims from users in December 2021 that their master passwords had been obtained.

Discussion (5 replies)
Join Discussion →People laughed at me 5-10 yrs. ago when I told them that using a password manager is just turning 50 separate points of defense into a single point of failure.
All the issues LastPass has had in recent times, I had friends who were using LastPass switch to KeePass and Bitwarden. I myself never bothered to use a password manager. Instead I keep a text file with vague hints as to the passwords for all my accounts - hints so vague that sometimes they don't even help me remember!
I don't personally use any pw managers but at work we use Lastpass. At home I use a spiral notepad, but there have been times when I'm on the road where that doesn't work out.
I have been there also..:confused:
No matter what strategy there are always pros and cons to each solution. I know someone that uses paper notebooks as well and they're constantly having problems keeping track, this was recommended by college professors in my security class and I used to do this but at work, I've got close to a hundred or more now (no exaggerating-nearly 20 years at a job will do that when you wear as many hats as I do) and then close to 3 dozen for personal. Meanwhile, I will password-protect a file with everything and keep it on external media, and update it as needed. But just like paper, if lost or compromised that becomes an issue but it at least doesn't allow the kit and kaboodle to be on the cloud.