On January 3rd, 2023, a “class action lawsuit” was filed against LastPass, a password manager, that alleged data breach of LastPass resulted in the theft of around $53K worth of Bitcoin (BTC). This class action complaint is filed by “John Doe,” an individual and on behalf of all others similarly situated.
The class action is a type of a lawsuit, where one of the parties is a group of people who are represented collectively by a member of that group. This lawsuit, originated in the United States, allows consumer organizations to bring claims on behalf of consumers.
This class action for damages against LastPass for its failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach that began in August 2022. This data breach impacted the highly sensitive data of potentially millions of LastPass users, according to the lawsuit.
LastPass is a global password and identity management solutions company used by more than 30 million users and 85,000 businesses worldwide. In 2022, LastPass suffered significant security incidents. User data, billing information, and vaults were breached, leading many security professionals call for users to change all their passwords and switch to other password managers.
According to the lawsuit, all the private information of LastPass users’ is “extremely valuable,” and by accessing this information hackers can simply unlock the stolen vaults using the victims’ respective master passwords, which were probably stored by LastPass.
In July 2022, “John Doe,” began purchasing Bitcoin incrementally over the course of three months, which roughly amounted to $53K. And around “Thanksgiving weekend of 2022,” his Bitcoin was stolen using the private keys that he stored with LastPass. However, he discovered the theft a week later and then filed a police report and a report with the FBI that had not yet been heard from any of these authorities, as stated in the lawsuit.
Additionally, “John Doe” and Class members have been “put at increased, substantial risk of future fraud and/or misuse of their Private Information, which may take years to manifest, discover, and detect.”
Graham Cluley, a cyber security researcher, said the stolen data includes unencrypted data including company names, end user names, billing addresses, telephone numbers, email addresses, IP addresses, that customers used to access LastPass and website URLs from password vaults.
According to Mr. Cluley, just before Christmas, LastPass confirmed that the information stolen from a developer’s account in the August 2022 attack was actually “used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes…”
Source: https://www.thecoinrepublic.com/2023/01/05/a-lawsuit-states-lastpass-data-breach-costs-53k-bitcoin/