LastPass data breach led to $53K in Bitcoin stolen, lawsuit alleges

A class-action lawsuit has been filed against password management service LastPass following a data breach from Aug. 2022.

The class action was filed with the United States district court of Massachusetts on Jan. 3 by an unnamed plaintiff known only as “John Doe” and on behalf of others similarly situated.

It alleges that the data breach of LastPass has resulted in the theft of around $53,000 worth of Bitcoin (BTC).

The plaintiff claimed he began accruing BTC in July 2022 and updated his master password to more than 12 characters using a password generator, as recommended by the LastPass “best practices.”

This was done to enable the storage of private keys in the seemingly secure LastPass customer vault.

When news of the data breach broke, the plaintiff deleted his private information from his customer vault. LastPass was hacked in Aug. 2022, with the attacker stealing encrypted passwords and other data, according to a December statement from the company.

Despite the quick action to delete the data, it appeared to be too late for the plaintiff. The lawsuit read:

“However, on or around Thanksgiving weekend of 2022, Plaintiff’s Bitcoin was stolen using the private keys he stored with Defendant [LastPass].”

“The LastPass Data Breach has, through no fault of his own, exposed him to the theft of his Bitcoin and exposed him to continued risk,” it added.

The suit claims that victims have been put at increased substantial risk of future fraud and misuse of their private information, which may take years to manifest, discover and detect.

LastPass is being accused of negligence, breach of contract, unjust enrichment and breach of fiduciary duty. However, the figure sought in damages was not specified.

Related: ‘Third-party incident’ impacted Gemini with 5.7 million emails leaked

According to cybersecurity researcher Graham Cluley, the stolen data includes unencrypted information including company names, user names, billing addresses, telephone numbers, email addresses, IP addresses and website URLs from password vaults.

In December, LastPass admitted that if customers had weak Master Passwords, the attackers may be able to use brute force to guess this password, allowing them to decrypt the vaults.