LastPass is being hit by a class-action lawsuit in the state of Massachusetts by customers after the password management company revealed further details about prior breach in August 2022.
As updates surface, it was revealed that LastPass downplayed the severity of the breach repeatedly which may have affected all of its over 30 million customers.
LastPass confirms in a blog update on December 22nd by CEO Karim Toubba that a “threat actor” had made a backup copy of stolen customer data that “included fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-milled data.”
Originally LastPass reported that hackers were unable to breach encrypted password vaults in full due to their encryption and master password security. However, the lawsuit reveals that the hackers were in fact able to breach personal information about users. Included in the breach so far was user billing addresses, phone numbers, email addresses, and the website URL’s of where users had encrypted passwords. The website URL’s makes it easy for hackers to send phishing or social engineering hacking messages to customers to scam them or bribe them for ransom.
“Not only has this statement not been verified through discovery, but it is also a shameless attempt by LastPass to shift the blame of the Data Breach’s resulting negative impact on Plaintiff and Class members,” the lawsuit reads in response to a claim by LastPass that master passwords were secure because the company allegedly does not store them.
This is of course not the first data breach LastPass has suffered. In fact they have fell victim to a lengthy count of breaches since 2011. LastPass CEO Explains Possible Hack | PCWorld
Cybersecurity analysts recommend immediately changing your most important passwords (banking, financial, company level, medical, etc.). Do not resave these new passwords to LastPass!
From there customers are encouraged to change all the rest of their passwords and enable two-factor authentication.
Further instructions include changing your LastPass master password and then migrating to a new password manager due to the continued repeated breaches and severity of breaches that the company has faced.
Password Manager Alternatives: