Skip to Content

LastPass Data Breach and its Class Action Suit

on Tuesday, 24 January 2023 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

LastPass is a software service that offers to save users’ passwords in one place, accessible on demand through many different methods and devices such as computers, tablets, and phones.  Several competitors offer similar services, such as DashLane, 1Password, and BitWarden, among others.  Password managers have become more and more common due to their ease of use and security advantages.

Password managers are easy to adopt because users can create one main “master-password” that allows access to all of the user’s other passwords.  The manager then provides programmatic access to applications such as email, streaming sites, social media, or other secured sites for automatic authentication.

The most significant advantage of password managers is their ability for users to create, manage, and use longer and more complex passwords without having to write down the passwords or store the passwords in an unsecure file or on random post-it notes stuck to their computer monitor (egads – who would do that?).  Password managers also have the potential for alleviating the requirement for the periodic changing of passwords.  For example, NIST and Microsoft now advocate for the use of a long, complex passwords or passphrases along with multi-factor authentication instead of regular rotation of shorter, less complex passwords.  Users are much more likely to adopt and use more complex passwords if they are not required to change passwords periodically.  

The major disadvantage, however, is that users now have one-point of failure, one master-password, which may expose all of their passwords, no matter how complex, if a breach occurs or security of the password is lost, which appears to be what exactly happened in the case of LastPass.

The LastPass Attack

LastPass announced in August of 2022 that the company suffered a breach.  The company investigated and concluded that no user information was compromised.  What was compromised, however, was some of LastPass’ internal code.

The attacker took this compromised code and targeted an employee of the company in a second attack.  During the subsequent attack the hackers were able to obtain access to a cloud storage container where some customers’ encrypted password vaults were stored.  A customer vault contains all user passwords and is encrypted using strong encryption technology (AES 256-bit encryption).  Once the attackers had access they were able to exfiltrate the vaults.  This exfiltration provided the attackers copies of the vaults and an unlimited time to run decryption processes against the vaults to break the encryption.

The LastPass Lawsuit

Shortly after announcing the compromise of the individual vaults, a class-action lawsuit was filed in the District of Massachusetts[2].  In the complaint the plaintiff alleges that he used the “best practice” of LastPass to create and secure his passwords.  Shortly after Thanksgiving of 2022, the plaintiff discovered that his bitcoin account at a third-party’s secure website had been compromised and was drained of approximately $53,000.00.  The plaintiff alleges that he maintained his bitcoin private keys in his LastPass account.

The plaintiff goes on to allege that although the master-password is not known by LastPass, LastPass did not adequately explain to its users that the security of the individual password vaults is directly related to strength and length of the master-password created by the user.  A simple password for the master-password meant decrypting the user’s vault would be easier and faster.

The plaintiff also alleges that LastPass engaged in “unfair or deceptive acts or practices in, or affecting, commerce”, and that LastPass failed to implement industry standard security measures recommend by the Microsoft Threat Protection Intelligence Team.

If the case proves successful and identifies other similarly situated plaintiffs, LastPass may face a very expensive legal bill.

Conclusions

Users and organizations can benefit from the lessons learned by the parties to this case:

  1. Users need to be responsible for their own password complexity and security. Even the best, highest-levels of encryption require a strong, complex password to secure the data.  Even AES 256-bit encryption can be easily broken with a simple password.
  2. Users and organizations which use password management programs need to review and understand the types of protections and warranties offered by a service provider to protect sensitive data. Such information may be gleaned from a review of the user agreements or information on the service’s website.  Service providers who are serious about their own security should be willing to stand behind their products.
  3. Users should understand the risks with “putting all of their eggs in one basket”; one point of failure may compromise all of their passwords.
  4. Organizations should review, investigate, and test any platform or service offering that directly affects their security posture such as password managers.
  5. Finally, these suits for data breaches are becoming more and more common as attacks become more sophisticated.

 

[2] Doe v. LastPass US LP (1:23-cv-10004), District Court, D. Massachusetts.

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design