Lawsuit Claims LastPass Breach Caused $53K Bitcoin TheftClass Action Lawsuit Says Security Company Failed to Safeguard Customer Data
A class action lawsuit against LastPass alleges that a data breach in August resulted in the theft of $53,000 in bitcoin. An unnamed plaintiff alleges that negligence in the password management company's data security practices led to the Thanksgiving weekend theft.
The plaintiff, using the alias "John Doe," claims he purchased the bitcoin over a period of three months beginning July 2022. He then updated the master password of his LastPass account in order to store the highly sensitive bitcoin private keys. This aligned with the standard "best practices" of the company, the lawsuit says.
The lawsuit says LastPass initially disclosed the breach in August and said users faced no significant risks, and the plaintiff deleted his private information from the customer vault. But it appears his actions were a little too late. "On or around Thanksgiving weekend of 2022, plaintiff's Bitcoin was stolen using the private keys he stored with LastPass," the lawsuit says.
The lawsuit claims the plaintiff is at continued risk and the loss is due to the company's negligent data security practices. It also alleges breach of contract, breach of implied contract, unjust enrichment and breach of fiduciary duty.
LastPass did not immediately respond to a request for comment from Information Security Media Group.
The complaint also alleges that LastPass' "stronger-than-typical" implementation of 100,100 iterations of the PBKDF2 algorithm is actually below the standard 310,000 iterations recommended by the Open Web Application Security Project.
In cryptography, PBKDF1 and PBKDF2 are key derivation functions with a sliding computational cost, used to reduce vulnerabilities of brute force attacks, according to the standard definition of PBKDF2.
But LastPass propagated to using a 12-characters master password that "greatly minimizes the ability for successful brute-force password guessing," the lawsuit claims.
The plaintiff counters that "many password managers have solved this issue by either adding a truly random factor to the encryption - a secret key - or by switching to key generation methods that are much more difficult to brute-force than PBKDF2."
Timeline of LastPass Breach
In August, an unnamed threat actor gained unauthorized access to LastPass that compromised the source code and proprietary technical information of the password manager service. At the time, a LastPass spokesperson told Information Security Media Group that there is "no evidence" the attacker gained access to customer data or encrypted password vaults (see: Hacker Steals Source Code, Proprietary Data From LastPass).
In September, LastPass revealed that the threat actor had unauthorized access to its development environment for four days but maintained that no customer data was accessed (see: Hacker Accessed LastPass Internal System for 4 Days).
In November, the company disclosed that "certain elements of our customers' information" were compromised (see: LastPass Breach Exposes Customer Data).
In December, the company further expanded the scope of the breach to its encrypted password vaults and corporate cloud storage backup environment (see: LastPass Breach: Attacker Stole Encrypted Password Vaults).