Class Action Filed Over LastPass Data Breach: Here’s What You Need to Know

Global password manager LastPass was hit with a proposed class action lawsuit yesterday over a months-long data breach that affected potentially millions of users.

Although LastPass positions itself as a trailblazer in the world of digital security, the 40-page lawsuit alleges that the company’s “lax data security measures” allowed customers’ sensitive information to be accessed by unauthorized parties starting in August 2022.

To make matters worse, the case claims LastPass’ response to the breach was just as lackluster, with the company apparently waiting months to notify victims and “shameless[ly]” attempting to shift the blame for any negative consequences onto users.

The lawsuit claims LastPass data breach victims—the total number of which may reach into the millions given the company’s 30-million-strong user base—now face a heightened risk of identity theft and fraud, and even a threat to their physical safety given their home addresses and the types of accounts they own may have been exposed.

“While the exact reason(s) for the Data Breach remain unclear, there is no doubt that Defendant failed to adequately protect Plaintiff’s and Class members’ Private Information and incorporate the tools necessary to keep such Private Information safe; such negligent failures resulted in the injuries alleged herein,” the complaint states.

What information was exposed during the LastPass data breach?

According to the lawsuit, LastPass customers’ names, end-user names, billing addresses, email addresses, phone numbers, IP addresses and vault data may have been compromised during the breach.

The exposure of customer vault data is significant, the suit says, because each customer’s vault—which contains website usernames and passwords, secure notes, form-filled data and other sensitive (and possibly unencrypted) information—can be accessed with one master password.

As one security researcher put it, “[T]he only thing preventing the threat actors from decrypting your data is your master password. If they are able to guess it, the game is over.”

The lawsuit further stresses that the exposure of the unencrypted website URLs in customers’ vaults could allow cybercriminals to target specific vaults that they believe to be high value, such as those belonging to users who have purchased cryptocurrency.

Moreover, the exposure of customers’ billing addresses, i.e., their home addresses, puts them at an “especially high risk” of ransom threats and blackmail attempts by cybercriminals attempting to gain access to their accounts, the case alleges.

In sum, the lawsuit claims the information exposed by LastPass is “extremely valuable” and could be used to “wreak financial havoc” on the lives of victims.

‘Stronger-than-typical’? Lawsuit blasts LastPass data breach notice

In a December 22 notice on LastPass’ website, the company assured customers that the encrypted fields in their customer vaults “remain secured” and can only be decrypted using each user’s master password, which LastPass claims is never known or stored by the company.

The notice went on to state that it would be “extremely difficult” for someone to brute force guess the master passwords of customers who followed LastPass’ “password best practices” and assured these users that the company’s “stronger-than-typical” proprietary password-strengthening algorithm further increases the security of their master passwords, such that it would take “millions of years” for “generally-available password-cracking technology” to guess them.

The lawsuit alleges, however, that LastPass’ implementation of 100,100 iterations of its algorithm is “actually well below the standard 310,000 iterations recommended by the Open Web Application Security Project.” Per the case, modern graphics cards could be used to guess someone’s master password much more quickly than LastPass represented—potentially in “slightly more than two months” or even less time if more than one graphic processor were used.

According to an article published by The Verge, LastPass’ assurances have since been “torn apart” by security experts, who have suggested that the data breach notice may have made customers “feel more secure than they actually are.”

Per the suit, the data breach notice is “a shameless attempt” to shift the blame for any negative effects of the breach onto customers, particularly those who did not follow the company’s “best practices”—which the case claims LastPass never provided notice of or attempted to enforce.

The lawsuit also claims the data breach notice was “unreasonably delayed”—considering the company learned of the data breach back in August 2022—and “woefully inadequate” given LastPass has not disclosed certain details about the security incident or offered any remedy to address the “devastating aftermath.”

“Defendant not only failed to adequately disclose the Data Breach to impacted customers, but it also failed to explain the extent of the Data Breach, where the information was lost, and to whom it may have been lost,” the complaint states. “Users, cybersecurity experts, other password management companies, and the media have each justly criticized LastPass, in one instance stating that it is ‘abundantly clear that [LastPass does] not care about their own security, and much less about your security.’”

The plaintiff’s experience

The plaintiff, a Pennsylvania resident who filed the lawsuit under a pseudonym, says he stored the “highly sensitive private keys” associated with roughly $53,000-worth of Bitcoin purchases in his LastPass customer vault.

At the time of his first Bitcoin purchase (around early July 2022), the plaintiff updated his master password using a password generator to comply with LastPass’ “best practices” and has always been “very careful” about sharing his sensitive information, the suit says.

Per the complaint, although the plaintiff deleted his private information from his customer vault upon learning of the LastPass data breach, the man’s Bitcoin was stolen around late November 2022 using the private keys he stored with LastPass.

Who does the lawsuit look to cover?

The lawsuit aims to represent anyone whose personal information was accessed, compromised, copied, stolen or exposed as a result of the LastPass data breach.

How do I join the LastPass data breach lawsuit?

There’s usually nothing you need to do to join, or be considered part of, a class action lawsuit when it’s first filed. In most cases, those who are “covered” by the lawsuit, called “class members,” should sit tight until (and if) the lawsuit moves forward and settles, which could take months or years. At this point, the people affected should receive direct notice of the settlement, usually by mail or email, with instructions on what to do next.

In the meantime, LastPass data breach victims can stay in the loop on class action news and settlement information by signing up for ClassAction.org’s free weekly newsletter.