A class action lawsuit has been filed against password management software vendor LastPass following a breach in August 2022 which saw customer data stolen. The case is made up of more than 100 class members.
LastPass, which has more than 30 million registered users, initially sought to play down the extent of the breach when it took place last summer. Confirming a ‘security incident’ had taken place, it said its products were “operating normally” and that the company did not “recommend any action on behalf of users”. However, the extent of the breach was revealed four months later, with data on 25 million LastPass customers potentially exposed.
The lawsuit, filed this week, alleges that the time between the incident and this disclosure taking place provided the chance for hackers to use the stolen data to its fullest advantage.
LastPass sued in class action suit
The class action was anonymously filed, with the plaintiff only being named as “John Doe”. The document states that LastPass is being sued “for its failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach”.
Throughout the allegations, the legal team behind the case claim that LastPass’s actions were woefully insufficient to protect its users’ private information from compromise and misuse. Through the breach, it says, hackers managed to gain access to personally identifiable information including names, billing addresses, telephone numbers, and customer vault data, where certain unencrypted information was stored. This included “website usernames and passwords, secure notes, and form-filled data.”
The lawsuit alleges that the advice LastPass gave to its customers when the breach was initially disclosed was irresponsible and gave hackers the chance to use the stolen data at their leisure. “The defendant’s disclosure, in addition to being unreasonably delayed, has been woefully inadequate and directly contributed to the damages suffered by Plaintiff and the Class thus far,” court documents state.
The company’s actions could put it in breach of US legislation the Federal Trade Commission Act, as it engaged in “unfair or deceptive acts or practices in or affecting commerce”.
The figure sought in damages has not been specified.
How the LastPass breach unfolded
LastPass announced the breach on 25 August, with the company’s CEO Karim Toubba stating it had “detected some unusual activity within portions of the LastPass development environment.”
This breach had provided an unauthorised third-party access to portions of source code and some proprietary LastPass technical information through the company’s development servers, the company said. However, it said an “investigation [had] shown no evidence of ‘unauthorised access to customer data’” and there was no need for customers to take any action.
However, an update released by the company last month said “an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident previously disclosed.” This had, in fact, led to the loss of data of 25 million users.
The update informed its customers that they were at risk of a plethora of cybercrimes, including “phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault.” The lawsuit quotes one unnamed cybersecurity expert who said that it was “abundantly clear that [LastPass does] not care about their own security, and much less about [user] security.”
Tech Monitor has approached LastPass for comment on the accusations in the legal case.