LastPass data breach led to $53K in Bitcoin stolen, lawsuit alleges

Published at: Jan. 5, 2023

A class action lawsuit has been filed against password management service LastPass following a data breach from Aug. 2022.

The class action was filed with the U.S. district court of Massachusetts on Jan. 3, by an unnamed plaintiff known only as “John Doe” and on behalf of others similarly situated.

It alleges that the data breach of LastPass has resulted in the theft of around $53,000 worth of Bitcoin.

The plaintiff claimed he began accruing BTC in Jul. 2022 and updated his master password to more than 12 characters using a password generator, as recommended by the LastPass “best practices.”

This was done to enable the storage of private keys in the seemingly secure LastPass customer vault.

When news of the data breach broke, the plaintiff deleted his private information from his customer vault. LastPass was hacked in Aug. 2022, with the attacker stealing encrypted passwords and other data, according to a December statement from the company.

Despite the quick action to delete the data, it appeared to be too late for the plaintiff. The lawsuit read:

“However, on or around Thanksgiving weekend of 2022, Plaintiff’s Bitcoin was stolen using the private keys he stored with Defendant [LastPass].”

“The LastPass Data Breach has, through no fault of his own, exposed him to the theft of his Bitcoin and exposed him to continued risk,” it added.

The suit claims that victims have been put at increased substantial risk of future fraud and misuse of their private information, which may take years to manifest, discover, and detect.

LastPass is being accused of negligence, breach of contract, unjust enrichment, and breach of fiduciary duty, however, the figure sought in damages was not specified.

Related: 'Third-party incident' impacted Gemini with 5.7 million emails leaked

According to cybersecurity researcher Graham Cluley, the stolen data includes unencrypted information including company names, user names, billing addresses, telephone numbers, email addresses, IP addresses, and website URLs from password vaults.

r/t LostPass?After the LastPass hack, here’s what you need to know...https://t.co/8x47Vze0lb

— Graham Cluley (@gcluley) January 4, 2023

In December, LastPass admitted that if customers had weak Master Passwords, the attackers may be able to use brute force to guess this password, allowing them to decrypt the vaults.

Tags
Law
Related Posts
Pro-Trump MAGACOIN crypto launch marred by website data breach
The launch of a cryptocurrency developed by Donald Trump supporters last week has been marred by a website data breach. According to The Guardian, user information including IP addresses, email addresses and passwords were accessed via a poor security configuration on the project’s website. The crypto is dubbed MAGACOIN after former President Trump’s “Make America Great Again” slogan. The project’s website claims that MAGACOIN was “created by America First Conservatives out of frustration with “Losing the Election” (the site has it in quotes) and “a desire to fight back by supporting MAGA candidates in 2022 and beyond” with profits from …
Business / July 23, 2021
NFT-delivered court orders an answer to blockchain-related litigation: Lawyers
Non-fungible tokens (NFTs) are becoming an increasingly popular solution to serving defendants in blockchain-based crimes that would otherwise be unreachable, according to crypto lawyers. The last year has seen an increase in litigation delivered over NFTs in cases where those accused of blockchain crime wereuncontactable through traditional methods of communication. In November 2022, the United States District Court for the Southern District of Florida granted a United States law firm The Crypto Lawyers its request for its client to serve a defendant via NFT. While the defendant's identity was unknown, the plaintiff accused the defendant of stealing cryptocurrency to the …
Adoption / Jan. 24, 2023
Binance and Huobi freeze $1.4M in crypto linked to North Korean hackers
Cryptocurrency exchanges Binance and Huobi have again frozen accounts linked to the $100 million Harmony Horizon bridge attack on Jun. 24, 2022. Around $1.4 million worth of crypto frozen by the trading platforms came from accounts linked to the notorious Lazarus Group operating out of North Korea. The investigation was carried out by blockchain analytics firm Elliptic, according to a report shared by the firm on Feb. 14. However, the firm didn’t state what coins or tokens were frozen. Exchanges @binance and @HuobiGlobal today froze accounts containing $1.4 million stolen by North Korea’s Lazarus Group. This was made possible thanks …
Blockchain / Feb. 15, 2023
BlockFi confirms unauthorized access to client data hosted on Hubspot
New Jersey-based crypto financial institution BlockFi confirmed a data breach incident via one of its third-party vendors, Hubspot. BlockFi’s proactive warning about the breach aims to deter the intentions of bad actors in repurposing the user data for fraudulent activities. According to the announcement, the hackers gained access to BlockFi’s client data on Friday, Mar. 18, that were stored on Hubspot, a client relationship management platform: “Hubspot has confirmed that an unauthorized third-party gained access to certain BlockFi client data housed on their platform.” As a third-party vendor for BlockFi, Hubspot stored user data such as names, email addresses and …
Blockchain / March 19, 2022
Coinbase discloses recent cyberattack targeting employees
Crypto exchange Coinbase experienced a cybersecurity attack targeting its employees on Feb. 5. The attack came through SMS scams and involved impersonations of IT staff, according to a recent report from the company's engineering team. No customers' funds or information were impacted, the firm said. As per the report, on a late Sunday several Coinbase employees received SMS messages requiring them to urgently log in via the link provided to access an important message. Acting in a good faith, one employee followed the exploiter' instructions: "While the majority ignore this unprompted message - one employee, believing that it’s an important …
Technology / Feb. 22, 2023