Key Takeaways:
- A plaintiff named John Doe filed the class action with the U.S. District Court of Massachusetts on January 3.
- Plaintiffs are allegedly now significantly more at risk of future fraud and abuse of their personal information, according to the lawsuit.
Due to a data breach that occurred in August 2022, a class-action lawsuit has been brought against the password management service LastPass.
On January 3, a plaintiff, solely known as “John Doe,” filed the class action with the United States District Court for the District of Massachusetts on behalf of every other person involved in a situation that is comparable to theirs. It asserts that LastPass suffered a data breach that resulted in the loss of Bitcoin worth roughly $53,000.
According to the complainant, he began accumulating Bitcoin in July 2022 and changed his master password to more than 12 characters using a password generator in accordance with LastPass’s “recommended practices” at that time. To enable the storing of private keys in the ostensibly safe LastPass user vault, this was done.
After learning about the data incident, the complainant promptly erased his personal information from his customer vault. LastPass was compromised in August 2022, according to a statement from the company in December, and the attacker obtained encrypted passwords and other information. Even though the content was swiftly removed, the plaintiff appeared to have overstepped his bounds. The complaint stated:
“However, on or around Thanksgiving weekend of 2022, Plaintiff’s Bitcoin was stolen using the private keys he stored with Defendant [LastPass]. The LastPass Data Breach has, through no fault of his own, exposed him to the theft of his Bitcoin and exposed him to continued risk.”
Plaintiffs, it is claimed, now stand a higher risk of future forgery and misusage of their personal information, which might take years to manifest, be discovered, and stop. LastPass has been charged with carelessness, breach of contract, unfair enrichment, and fiduciary duty. However, the amount of the claimed damages has yet to be made public.
A cybersecurity specialist named Graham Cluley asserts that the unencrypted information stolen from password vaults includes company names, user names, billing addresses, phone numbers, email addresses, IP addresses, and website URLs.
In December, LastPass acknowledged that if users had weak Master Passwords, attackers could decrypt vaults using brute force to try to guess the weak password.