LastPass is being sued after a major cyberattack

LastPass has been threatened with legal action after a month-long data breach that began in August 2022 and resulted in the leakage of potentially millions of user data.

A statement from Password Manager CEO Karim Toubba at the time claimed there was a lack of evidence that customer data was compromised, despite using a leading cybersecurity and forensics firm.

A December 2022 notice announced that “an unknown threat actor accessed a cloud-based storage environment using information obtained from the incident”.

LastPass leak in August 2022

According to class action (opens in new tab) Filed with a Massachusetts court, all the bad guys were given the names, usernames, billing addresses, email addresses, phone numbers, and even the IP addresses used to access the service.

The final straw may have been the leak of customers’ unencrypted vault data, which contains all sorts of information from website usernames and passwords to other secure notes and form data.

According to the lawsuit, “LastPass understood and appreciated the value of this information, but chose to ignore it by not investing in adequate data security measures.”

The plaintiff in the case claims to have invested $53,000 in Bitcoin since July 2022, which was “stolen” a few months later, prompting police and FBI reports.

More recently, Toubba took part in the company to blog (opens in new tab) to announce that “some source codes and technical information have been stolen [LastPass’s] Development Environment” which led to an attack on an employee’s account, stealing credentials and keys. The company has since “completely decommissioned that environment and built a new environment from the ground up.”

While the plaintiff has requested a jury trial regarding the leak and resulting losses, it remains to be seen what action (if any) will be taken against LastPass.

• Protect yourself with the best firewalls

This article was previously published on Source link