LastPass Iterative Attack Data Breach Class Action

The complaint for this class action opens with the line, “This lawsuit exists because cybercriminals unsurprisingly targeted a company in the business of storing and managing login credentials, identities, and passwords … for over 33 million users and 100,000 businesses worldwide.” The company is LastPass US, LP which suffered a data breach in the latter half of 2022, because, the complaint alleges, “its own security program was woefully inadequate.”

The Nationwide Class for this action is all natural persons living in the US whose personally identifiable information (PII) was compromised, extracted, copied, stolen, or otherwise exposed because of the data breach.

LastPass, a “freemium” and subscription service, stores things like passwords and login information for individuals and businesses.

Customers may store their information in “vaults” that allow users to store all their logins and passwords under a single master password. The vaults can contain “unencrypted data such as website URLs, alongside encrypted data, such as the customer’s login name and password for those websites” as well as “additional encrypted data such as secure notes, data used to automatically fill forms, and even images of identifying documents like driver’s licenses, health insurance cards, or passports.”

The complaint accuses LastPass of having “unsound, vulnerable systems” for housing this important data that “were an open invitation for a multi-step intrusion and exfiltration and decryption of valuable data by cybercriminals[.]”

How did the data breach happen? The complaint alleges, “A threat actor was able to successfully target a LastPass employee, obtain credentials and keys to access and decrypt storage volumes within its cloud-based storage service and exploit source code and technical information stolen from LastPass’[s] development environment” to get account information and metadata and copy customer vault data as well.

Unfortunately, the complaint claims that LastPass has not said exactly when the data breach occurred, except that it began sometime after August 2022. This matters, the complaint alleges, because although much of the information stolen was encrypted, given enough time, it says, the cybercriminals can crack the keys used to encrypt the information.

According to the complaint, LastPass recently admitted that cybercriminals got into its systems more than once, in what the complaint calls an example of “iterative attacks, which begin with seemingly innocuous probes of a website by hackers hoping to build knowledge of the infrastructure and to search out potential vulnerabilities, before returning weeks or months later with more powerful tools and better knowledge about the target’s defenses.”

The first entry into the company’s system occurred in August 2022, the complaint alleges, at which time no data was accessed, although source code and technical information was stolen. Hackers launched the main attack later in the year, as the company announced on December 22, 2022.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy