According to a recently filed lawsuit, LastPass data breach led to Bitcoin theft of value $53k. The class action was filed with the U.S. district court of Massachusetts on Jan. 3, by an unnamed plaintiff known only as “John Doe” and on behalf of others similarly situated.
One of the parties behind the lawsuit, an individual from the state of Pennsylvania, claims he lost $53k worth of Bitcoin due to a compromised password that was stored on the LastPass customer vault. The individual claims he deleted his private information from the company’s vault after learning about the breach in August. However, around the Thanksgiving weekend of 2022, his Bitcoin was stolen.
The lawsuit also questions the accuracy of LastPass’ claims that neither breach resulted in the loss of user master passwords, keys used to protect vaults with customer passwords. “Not only has this statement not been verified through discovery, but it is also a shameless attempt by LastPass to shift the blame of the Data Breach’s resulting negative impact on Plaintiff and Class members,” reads the complaint.
What is LastPass?
LastPass claims that over 33 million people use the service and boasts around 100k business accounts. The company is headquartered in the US.
When you use a password manager like LastPass or 1Password, it stores a list containing all of the user names and passwords for the sites and apps you use, including banking, health care, email and social networking accounts. It keeps track of that list, called the vault, in its online cloud so you have easy access to your passwords from any device. LastPass said hackers had stolen copies of the list of user names and passwords of every customer from the company’s servers.
LastPass Data Breach
This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But other than the obvious next step — to change all of your passwords if you used LastPass — there are important lessons that we can learn from this debacle, including that security products are not foolproof, especially when they store our sensitive data in the cloud.
Karim Toubba, the chief executive of LastPass, declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive vault data encrypted and secured. He also said it was users’ responsibility to “practice good password hygiene.”