LastPass is facing a lawsuit filed in the US District Court of Massachusetts on Jan. 3. The suit alleges that LastPass failed to protect user data during a breach in August 2022 adequately.
In recent years, password management services have become essential for individuals and businesses looking to secure their online accounts and protect against cyber threats. However, even the most reliable and trusted services can fall victim to data breaches, as demonstrated by the recent class action lawsuit against LastPass.
The litigation was filed by a plaintiff known only as “John Doe” and on behalf of others in a similar situation. The theft of over $53,000 worth of bitcoin (BTC) happened due to LastPass’s data breach.
According to the plaintiff, he began accumulating bitcoins in July 2022 and updated his master password to more than 12 characters using a password generator recommended by LastPass’s “exquisite practices.” This was done to enable the storage of private keys inside the ostensibly secure LastPass customer vault.
The complainant erased his private information from his customer vault when news of the data incident leaked. According to a statement from the company in December, a hacker stole encrypted passwords and other data from LastPass in August 2022.
Despite the speedy deletion of the materials, it appeared that the plaintiff had passed the point of no return. It also stated that the LastPass Data Breach had subjected him to the loss of his BTC, exposing him to further risk via no fault of his own.
Victims are susceptible to fraud in the prospective future
The lawsuit asserts that victims now face a significantly greater risk of future fraud and exploitation of their personal information, risks that could take years to materialize, find and identify.
LastPass has been accused of negligence, violation of contract, unjust enrichment, and breach of fiduciary obligation. Still, the amount requested in damages has not been disclosed.
Cybersecurity expert explains what is at stake further
Graham Cluley, a cybersecurity expert, claims that the unencrypted data stolen from password vaults includes corporate names, user names, billing addresses, phone numbers, email addresses, IP addresses, and website URLs.
He explains in his blog that the hackers now have access to the victims’ contact information and their websites of choice.
That’s important knowledge for anyone trying to phish someone for further information because they might easily impersonate one of the websites you visit and send you a phishing email.
Additionally, even knowing which websites they visit could reveal personal information about them that they would prefer to keep secret.
Furthermore, it’s possible that the victims saved password reset links for these websites in their password manager that may not have expired, as well as other sensitive data or tokens in the URLs of their websites that they would not want to end up in the hands of malicious users.