LastPass Sued for Data Breach to Recover $53,000 in Lost Cryptocurrency

The recent data breach at LastPass, which saw customers’ encrypted password vaults stolen, has sparked its first lawsuit from a customer who claims to have lost $53,000 in cryptocurrency due to the data breach.

The breach in question was detected by LastPass in August 2022, when the company confirmed that unauthorized individuals gained access to its developer environment and stole proprietary source code and technical documentation, although at the time LastPass said customer data was not involved. Then the company announced that a second breach had occurred that was linked to the first. The individual(s) behind that attack used information from that breach to target another employee and obtained credentials and keys that allowed access to and the decryption of some storage volumes within a cloud-based storage service.

Then on December 22, LastPass confirmed that the threat actor had copied information from a backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The attackers also obtained a backup of customer vault data from the encrypted storage container. The vault data was stored in a proprietary binary format that contained both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. Master passwords were not obtained, but weak master passwords could potentially be cracked, thus providing access to vaults.

The lawsuit was filed in the U.S. District Court of Massachusetts on behalf of plaintiff John Doe, and other individuals similarly affected by the data breach and alleges LastPass was negligent by failing to invest in adequate data security measures to prevent the unauthorized access to and copying of the plaintiff’s and class members’ private information. As a result of the alleged negligence, the password vaults of customers are now in the hands of cybercriminals and the plaintiff and class members are no longer in possession of a secure password vault.

The defendant claims to have started making Bitcoin purchases in July 2022, and did so over around 3 months, investing in approximately $53,000 in Bitcoin in that time. Over the Thanksgiving weekend, those Bitcoin investments were stolen. The plaintiff claims to have saved the keys for his cryptocurrency wallets in his LastPass vault, which was protected by a 12-character password that was created with a secure password generator in July 2022, which means his master password could not realistically be cracked. The plaintiff claims that if LastPass had been more transparent about the breach in August, he would have taken action to better secure his cryptocurrency accounts.

The plaintiff claims that the information in his LastPass account that allowed his accounts to be accessed was removed when he learned of the data breach, but since that information was in the copy that was stolen, the deletion of the data from the account was ineffective.  The lawsuit does not, however, provide any evidence that the theft occurred as a result of the LastPass data breach. The lawsuit seeks class action status, damages, a jury trial, and injunctive relief.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of