Skip to content

LastPass Data Breach: $53K in Bitcoin Stolen

A class action lawsuit was filed against LastPass, a password management service, after a data breach in August 2022.

LastPass Logo on Safari Browser
LastPass Logo on Safari Browser

The suit, filed on behalf of an unnamed plaintiff known as "John Doe" and others similarly affected, alleges that the data breach resulted in the theft of approximately $53,000 worth of Bitcoin. The plaintiff had updated his master password to meet LastPass's recommended best practices and stored his private keys in the LastPass customer vault.

However, after the data breach was announced, the plaintiff's Bitcoin was stolen using the private keys stored with LastPass. The suit claims that victims are at increased risk of future fraud and misuse of their private information and accuses LastPass of negligence, breach of contract, unjust enrichment, and fiduciary duty.

LastPass Admits to Data Breach, Weak Master Passwords to Blame

In December, LastPass admitted to a data breach in August 2022. The company stated that the attacker stole encrypted passwords and other data and that if customers had weak Master Passwords, the attacker might have been able to use brute force to guess the password and decrypt the vaults.

Cybersecurity researcher Graham Cluley reported that the stolen data included unencrypted information such as company names, user names, billing addresses, telephone numbers, email addresses, IP addresses, and website URLs from password vaults.