IOTW: LastPass facing class action lawsuit following data breach
The lawsuit accuses LastPass of failing to secure and safeguard customers’ personal data
Add bookmarkAn anonymous plaintiff has filed a class action lawsuit against password management company LastPass after the company suffered two data breaches within four months in 2022.
The suit, which was filed by an anonymous plaintiff referred to as ‘John Doe’ with the United States District Court of Massachusetts, alleges that LastPass failed to “exercise reasonable care in securing and safeguarding highly sensitive consumer data”.
The lawsuit also alleges that bad actors could “wreak financial havoc on the lives of LastPass users” affected by the breach. The plaintiff has accused LastPass of “likely stor[ing]” the master passwords of users – the sole way of unlocking users’ password vaults and accessing their login information – meaning users’ passwords would have been accessed during the cyber attack. This would allow malicious parties access to any number of users’ accounts, including those that store banking or payment information. However, according to LastPass, “master password[s] [are] never known to LastPass and [are] not stored or maintained by LastPass”, meaning they could not have been accessed in the breaches.
The lawsuit goes on to accuse LastPass of “failing to invest in adequate data security measures that would protect Plaintiff and the Class from the unauthorized access to, and copying of, their private information”, meaning that those affected by the breach are at an “especially high risk of ransom threats and blackmail attempts” due to the information exposed. This information includes company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses used to access LastPass services.
It also states that the personal data of victims is “no longer hidden but is, instead, in the hands of cybercriminals who have already fraudulently misused such data”. The evidence for this is stated to be that in November 2022, Doe had around US$53,000 worth of Bitcoin stolen from his blockchain wallet, allegedly via the use of private keys he had stored using LastPass.
The lawsuit goes on to allege that Doe has “never knowingly transmitted unencrypted sensitive personally identifiable information or information that is otherwise confidential over any unsecured source” and is "thoroughly diligent" with securing his personal information. For this reason, the only way his Bitcoin could have been stolen is if malicious parties gained access to his master password and therefore the private keys for his Bitcoin vault.
LastPass maintained, however, that it would be “extremely difficult to attempt to brute force master passwords” due to the hashing and encryption methods used to protect customers. The company also noted that it would take “millions of years to guess [a] master password using generally-available password-cracking technology” if customers followed its best-practice guidelines for creating master passwords.
The password management company also stated that “sensitive vault data, such as usernames and passwords, secure notes, attachments and form-fill fields” had remained safely encrypted due to LastPass’ zero knowledge architecture.
The LastPass' 2022 data breaches
In August and November 2022, LastPass suffered two connected data breaches that resulted in confidential customer information to be compromised.
The August breach saw a malicious actor steal source code and technical information from LastPass’ development environment that was then used to target an employee. This allowed the hacker to gain access to credentials and keys, which they then used to access LastPass’ third-party cloud storage service in November 2022. Using the keys, the malicious party was able to decrypt some storage volumes within the storage service.
After the information was decrypted, the hacker accessed and copied information stored on a cloud backup that included “basic customer account information and related metadata”. The number of customers affected has not yet been shared.
LastPass explained that the hacker was also able to “copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs”, as well as “fully-encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data”.
The password management company reassured its customers about the safety of their encrypted data, noting that all encrypted files remain “secured with 256-bit AES encryption”, meaning they need a unique encryption key derived from each user’s password to decrypt it. As LastPass does not know, store or maintain user master passwords, this reduces the chance of compromise.
Despite this, LastPass still warned its customers to be wary of social engineering or phishing attacks in the wake of the attack.