LastPass has been threatened with legal action following a months-long data breach that began in August 2022 and led to the leak of potentially millions of users’ private information.
A statement by the password manager CEO Karim Toubba at that time claimed a lack of evidence that any customer data was at risk, though a leading cybersecurity and forensics firm was deployed.
A December 2022 notice announced that “an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident”.
LastPass August 2022 leak
According to the class action complaint (opens in new tab) filed in a Massachusetts court, names, usernames, billing addresses, email addresses, telephone numbers, and even the IP addresses used to access the service were all made available to wrongdoers.
The final straw in the hat could have been the leak of customers’ unencrypted vault data, which includes all manner of information ranging from website usernames and passwords to other secure notes and form data.
According to the lawsuit, “LastPass understood and appreciated the value of this Information yet chose to ignore it by failing to invest in adequate data security measures”.
The case’s plaintiff claims to have invested $53,000 in Bitcoin since July 2022, which was later “stolen” several months later, leading to police and FBI reports.
More recently, Toubba took to the company’s blog (opens in new tab) to announce that “some source code and technical information were stolen from [LastPass’s] development environment”, leading to an attack on an employee’s account that saw credentials and keys being stolen. The company has since that it is “decommissioning that environment in its entirety and rebuilding a new environment from scratch.”
While the case plaintiff has demanded a jury trial with regards to the leak and their subsequent losses, it remains to be seen what (if any) action shall be taken against LastPass.