LastPass faces lawsuit over Bitcoin theft worth $53K


  • LastPass has been hit with a lawsuit on the grounds of Bitcoin theft worth $53K.
  • According to the lawsuit, LastPass wasn’t able to safeguard user data during a breach in August last year.
  • The legal action is filed by a plaintiff as well as on behalf of others who faced a similar experience.

Last month, Today NFT News reported that hackers stole the LastPass security vault. Now there’s another piece of news surrounding the password management service. 

A class-action lawsuit is filed against LastPass in connection with a data breach that happened in August 2022 and resulted in the theft of Bitcoin worth $53,000. 

The lawsuit was filed on January 3 with the United States District court of Massachusetts by an unnamed plaintiff who is known as John Doe as well as on behalf of others. 

According to the plaintiff, he started accruing Bitcoin last year in July. Also, he upgraded his master password to more than 12 characters, as suggested by the LastPass “best practices.”

He did so to allow the storage of private keys in the LastPass customer vault. However, as soon as the news about the data breach came out, he removed his private details from his customer vault. 

When LastPass was hacked in August last year, the attacker stole encrypted passwords besides other data.

Even after taking the action swiftly to delete the data, things went out of hand for the plaintiff. 

The lawsuit reported:

However, on or around Thanksgiving weekend of 2022, Plaintiff’s Bitcoin was stolen using the private keys he stored with Defendant [LastPass].

The lawsuit has revealed that the victims are at risk of possible frauds in the future, besides the possibility of their private data being misused. 

LastPass is being blamed for breach of contract, carelessness, breach of fiduciary duty, and unjust enrichment.  

According to Graham Cluley, a cybersecurity researcher, the data that’s been stolen contains unencrypted details such as billing addresses, IP addresses, company names, website URLs, usernames, and email addresses from password vaults.

LastPass confessed in December that having weak master passwords can allow attackers to guess the password and decrypt the vaults.