Lawsuit Filed vs LastPass After $53K BTC Allegedly Lost on Data Breach
According to a certain John Doe, his BTC was stolen using the private keys he stored with LastPass during Thanksgiving 2022.
Subscribe to our newsletter!
Editing by Nathaniel Cajuday
- A lawsuit was filed by a certain John Doe against password management service LastPass at the United States District Court of Massachusetts.
- According to Doe, his $53,000 worth of BTC was stolen using the private keys he stored with LastPass during the Thanksgiving of 2022.
- LastPass has not yet responded to the lawsuit.
After the data breach that happened in August last year, a class-action lawsuit was filed with the United States District Court of Massachusetts on January 3, 2023, against password management service LastPass.
The plaintiff, who goes by “John Doe” and stands on behalf of the other affected individuals, alleges that the data breach resulted in the theft of around $53,000 worth of Bitcoin.
According to Doe, in July 2022, when he started accruing BTC, he updated his master password to more than 12 characters using a password generator, which was recommended by the LastPass “best practices”—the action enabled the storage of private keys in the LastPass customer vault.
Consequently, the plaintiff stressed that when news of the data breach broke in August 2022, he immediately deleted his private information from his customer vault.
“However, on or around Thanksgiving weekend of 2022, Plaintiff’s Bitcoin was stolen using the private keys he stored with Defendant [LastPass]… The LastPass Data Breach has, through no fault of his own, exposed him to the theft of his Bitcoin and exposed him to continued risk,” the lawsuit read.
Accordingly, LastPass is now alleged to have put the victims at an increased substantial risk of future fraud and misuse of their private information, which may take years to manifest, discover, and detect. Following this, the firm is being accused of negligence, breach of contract, unjust enrichment, and breach of fiduciary duty.
In August, when the breach was first disclosed, LastPass initially stated that the attacker had only obtained source code and technical information, not any customer data. However, a December statement from the company revealed that the attacker was actually able to steal the users’ encrypted passwords. According to them, the hacker attacked another employee’s device to obtain keys to customer data stored in a cloud storage system.
“To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service… The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data,” Karim Toubba, LastPass CEO, stated.
To date, LastPass has yet to respond to the lawsuit.
This article is published on BitPinas: Lawsuit Filed vs LastPass After $53K BTC Allegedly Lost on Data Breach
Disclaimer: BitPinas articles and its external content are not financial advice. The team serves to deliver independent, unbiased news to provide information for Philippine-crypto and beyond.
