A class action lawsuit has been filed in the U.S. District Court in Massachusetts, accusing LastPass of failure to secure sensitive customer data and seeking monetary relief for losses caused by recent data breaches.
LastPass is a widely used password manager, password generator, and secure vault app, offering over 30 million users and 85,000 firms an easy way to create, store, manage, and use their secrets.
On December 22, 2022, LastPass reported that an unauthorized party had accessed a cloud server in August 2022, where the software company stored backups of production data.
This unauthorized access resulted in the intruders obtaining access keys that were then used to infiltrate deeper and access storage points containing customer information.
This includes company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from where customers were accessing the LastPass service.
The company claimed that vault copies downloaded from these storage points are encrypted using 256-bit AES derived from the user’s master key, so as long as the user password is adequately strong, the AES key will be hard to decipher.
The plaintiff of the class action lawsuit dismisses LastPass claims about the strength of the master key, alleging that even though he used a 12-character password, which should be adequately strong, his account was compromised by hackers on Thanksgiving 2022.
The plaintiff’s vault stored private keys associated with Bitcoin purchases that cost him roughly $53,000. As a result of its breach, the digital assets were transferred