An anonymous LastPass user named John Doe filed a class-action lawsuit against the password management provider for failing to prevent a data breach that occurred in August 2022. The lawsuit accuses LastPass of not investing in adequate data security measures, which led to the unauthorized release and misuse of users’ personal information such as names, billing addresses, email addresses, telephone numbers, IP addresses, and customer vault data.
The lawsuit claims due to this breach users are at a substantial risk of phishing emails and scams, in addition to the fraud they have already suffered. It also takes issue with LastPass’s claim that users remain protected because the company has no knowledge of their master passwords, calling it a “shameless attempt by LastPass to shift the blame of the Data Breach’s resulting negative impact.”
The class-action lawsuit points out that the hacker not only store the vaults but also managed to steal unencrypted personal information about users, including billing addresses, email addresses, telephone numbers, and website URLs assigned to each encrypted password.
LastPass, which has over 30 million users, did not respond to a request for comment. Lastpass asserts that the hacker only accessed the encrypted password vaults of users and that to access the individual password vaults, the master password known only by the user is still needed. However, it may only be a matter of time when the hackers are able to decrypt the vaults and access the highly confidential data of all the users.
Read more about how to protect yourself in our cybersecurity guide for beginners
