View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 5, 2023

LastPass data breach leads to class action lawsuit from disgruntled customers

Having initially played down the breach, the password management company is now facing court action.

By Claudia Glover

A class action lawsuit has been filed against password management software vendor LastPass following a breach in August 2022 which saw customer data stolen. The case is made up of more than 100 class members.

LastPass sued in class action suit for breach of contract. (Photo by II.studio/Shutterstock)

LastPass, which has more than 30 million registered users, initially sought to play down the extent of the breach when it took place last summer. Confirming a ‘security incident’ had taken place, it said its products were “operating normally” and that the company did not “recommend any action on behalf of users”. However, the extent of the breach was revealed four months later, with data on 25 million LastPass customers potentially exposed.

The lawsuit, filed this week, alleges that the time between the incident and this disclosure taking place provided the chance for hackers to use the stolen data to its fullest advantage. 

LastPass sued in class action suit

The class action was anonymously filed, with the plaintiff only being named as “John Doe”. The document states that LastPass is being sued “for its failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach”.

Throughout the allegations, the legal team behind the case claim that LastPass’s actions were woefully insufficient to protect its users’ private information from compromise and misuse. Through the breach, it says, hackers managed to gain access to personally identifiable information including names, billing addresses, telephone numbers, and customer vault data, where certain unencrypted information was stored. This included “website usernames and passwords, secure notes, and form-filled data.”

The lawsuit alleges that the advice LastPass gave to its customers when the breach was initially disclosed was irresponsible and gave hackers the chance to use the stolen data at their leisure. “The defendant’s disclosure, in addition to being unreasonably delayed, has been woefully inadequate and directly contributed to the damages suffered by Plaintiff and the Class thus far,” court documents state. 

The company’s actions could put it in breach of US legislation the Federal Trade Commission Act, as it engaged in “unfair or deceptive acts or practices in or affecting commerce”.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

The figure sought in damages has not been specified.

How the LastPass breach unfolded

LastPass announced the breach on 25 August, with the company’s CEO Karim Toubba stating it had “detected some unusual activity within portions of the LastPass development environment.”

This breach had provided an unauthorised third-party access to portions of source code and some proprietary LastPass technical information through the company’s development servers, the company said. However, it said an “investigation [had] shown no evidence of ‘unauthorised access to customer data’” and there was no need for customers to take any action. 

However, an update released by the company last month said “an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident previously disclosed.” This had, in fact, led to the loss of data of 25 million users.

The update informed its customers that they were at risk of a plethora of cybercrimes, including “phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault.” The lawsuit quotes one unnamed cybersecurity expert who said that it was “abundantly clear that [LastPass does] not care about their own security, and much less about [user] security.”

Tech Monitor has approached LastPass for comment on the accusations in the legal case.

Read more: Critical infrastructure providers pay $1m premium on data breaches

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU