>
LastPass has been threatened with legal action after a months-long data breach that began in August 2022 and led to the leak of potentially millions of users’ private data.
A statement from the password manager’s CEO, Karim Toubba, claimed at the time that there was no evidence that customer data was compromised, even though a leading cybersecurity and forensics company had been deployed.
A December 2022 post announced that “An unknown threat actor has gained access to a cloud-based storage environment by using information obtained from the incident”.
LastPass August 2022 Leaked
According to the class action complaint (opens in new tab) filed in a Massachusetts court, names, usernames, billing addresses, email addresses, phone numbers, and even the IP addresses used to access the service were all made available to violators.
The last straw could have been the leak of customers’ unencrypted vault data, which contained everything from website usernames and passwords to other secure notes and form data.
According to the lawsuit, LastPass “understood and appreciated the value of this information, but chose to ignore it by not investing in adequate data security measures.”
The plaintiff of the case claims to have invested $53,000 in Bitcoin since July 2022, which was “stolen” several months later, leading to police and FBI reports.
More recently, Toubba made the switch to the company blogging (opens in new tab) to announce that “some source code and technical information has been stolen [LastPass’s] development environment,” which led to an attack on an employee’s account where credentials and keys were stolen. The company has since “decommissioned that environment in its entirety and built a new environment from scratch.”
While the plaintiff has sought a jury trial regarding the leak and subsequent losses, it remains to be seen what action (if any) will be taken against LastPass.