The suit, filed on behalf of an unnamed plaintiff known as "John Doe" and others similarly affected, alleges that the data breach resulted in the theft of approximately $53,000 worth of Bitcoin. The plaintiff had updated his master password to meet LastPass's recommended best practices and stored his private keys in the LastPass customer vault.
However, after the data breach was announced, the plaintiff's Bitcoin was stolen using the private keys stored with LastPass. The suit claims that victims are at increased risk of future fraud and misuse of their private information and accuses LastPass of negligence, breach of contract, unjust enrichment, and fiduciary duty.
LastPass Admits to Data Breach, Weak Master Passwords to Blame
In December, LastPass admitted to a data breach in August 2022. The company stated that the attacker stole encrypted passwords and other data and that if customers had weak Master Passwords, the attacker might have been able to use brute force to guess the password and decrypt the vaults.
Cybersecurity researcher Graham Cluley reported that the stolen data included unencrypted information such as company names, user names, billing addresses, telephone numbers, email addresses, IP addresses, and website URLs from password vaults.