Following a data breach in August 2022, a class action lawsuit has been brought against the password management service LastPass.
On Jan. 3, an unnamed plaintiff only known as "John Doe" and on behalf of others in a similar situation filed the class action with the U.S. district court of Massachusetts.
It claims that a data breach at LastPass led to the theft of Bitcoin valued at about $53,000.
In accordance with the LastPass "best practices," the plaintiff said he started amassing BTC in July 2022 and modified his master password to include more than 12 characters using a password generator.
This was done to make it possible to store private keys in the ostensibly safe LastPass user vault.
LastPass initially announced the breach in August 2022, but it appeared that the attacker had gotten only source code and technical information, not any client data.
However, after an investigation, the company determined that the attacker utilized this technical information to hack another employee's computer, which was subsequently used to obtain keys to client data held in a cloud storage system.
As a result, unencrypted client metadata, such as "company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," was given to the attacker.
Encrypted vaults belonging to some clients were also accessed. Each customer who uses the LastPass service stores their website passwords in these vaults. Fortunately, the vaults have a Master Password that encrypts them, preventing the intruder from reading them.
The complainant erased his personal information from his customer vault as soon as he learned about the data breach. According to a statement from the firm in December, LastPass was breached in August 2022, and the attacker stole encrypted passwords and other data.
Despite the speedy deletion of the material, it appeared that the plaintiff had passed the point of no return.
"However, on or around Thanksgiving weekend of 2022, Plaintiff's Bitcoin was stolen using the private keys he stored with Defendant [LastPass]" the complaint stated. "The LastPass Data Breach has, through no fault of his own, exposed him to the theft of his Bitcoin and exposed him to continued risk.
According to the lawsuit, victims are now at a higher risk of future fraud and exploitation of their personal information, which could take years to manifest, find, and identify.
LastPass is accused of negligence, violation of contract, unjust enrichment, and breach of fiduciary obligation, but the amount requested in damages has not been mentioned.
According to cybersecurity researcher Graham Cluley, the stolen data includes unencrypted information from password vaults such as company names, user names, billing addresses, phone numbers, email addresses, IP addresses, and website URLs.
