LastPass facing class action lawsuit over data breach

A class action lawsuit has been filed against LastPass following two breaches the software vendor suffered in 2022. The case is currently made up of more than 100 members.

Background of the breaches

In one of the last weeks of 2022, LastPass released a notice to its users about a security incident—the second one since August 2022.

In the notice, the CEO of LastPass stated:

“Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”

LastPass confirmed that no user ‘Master Passwords’ were stolen and those are needed to decrypt the stolen data and access a user’s account and logins. These master passwords will be very difficult to crack if users followed the Last Pass best practice for setting the password. That means a minimum of 12 characters, including upper and lower case letters as well as numeric and special character values and ensuring it’s not used as your password for any other applications.

If your password doesn’t meet these standards, There’s a higher chance of it being cracked and LastPass recommends minimizing your risk by changing passwords for the websites you have stored in your account and remaining vigilant for phishing emails.

Class action lawsuit filed

With data on 25 million LastPass customers potentially exposed, a class action lawsuit made up of more than 100 members has been filed against LastPass.

The lawsuit, filed in the first week of January 2023, claims that the delay in communication to customers between the August 2022 incident and the December 2022 disclosure “provided the chance for hackers to use the stolen data to its fullest advantage.”

The class action was filed anonymously, with the plaintiff only being known as “John Doe.” In the document, it states that LastPass is being sued for “its failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach that began in August 2022.”

John Doe alleges that upon learning about the August 2022 data breach, he deleted his private information from his LastPass vault. However, around Thanksgiving 2022, John Doe’s Bitcoin was stolen using the credentials he stored in his LastPass vault.

The class action states that John Doe, along with members of the class action lawsuit, would not have given LastPass their sensitive information had they known that LastPass “would be at risk of compromise and misuse due to (their) negligent data security practices.”

Retail Password Managers as business cybersecurity solutions

Retail password managers like LastPass have had great market adoption for personal use because it’s security that leverages convenience, however breaches like this are showing that it’s insufficient as a bullet proof cybersecurity solution for highly sensitive data.

It’s important to be aware of the risks that exist when using retail password managers for personal use, let alone in a business environment. For accountants and bookkeepers especially, it’s important every effort is taken to secure client data as a breach has a flow on effect beyond the business to clients.

When evaluating cybersecurity solutions for business, some key areas to consider include but are not limited to; MFA, SSO, location restrictions, access logs & monitoring, email security, compliance documentation and training.

If you are interested in learning more, talk with our team.