A resident of the US state of Pennsylvania filed a lawsuit against LastPass, which received class action status – in the past year, the service’s resources were hacked twice, even though its administration tried to assure users of the safety of the data.
According to the plaintiff, as a result of the LastPass hack in November, a total of $53,000 worth of bitcoins were stolen from him, and stories of numerous account “hijackings” on various resources are surfacing online, which are also linked to the incident .
The troubles started in August when strangers stole technical data from LastPass servers. In November, the attackers returned and ended the matter by gaining access to users’ password vaults using previously stolen information. The LastPass administration tried to allay concerns by explaining that the data in the vaults is encrypted and can only be read if there are user master passwords that aren’t stored on the service’s servers.
The plaintiff alleges that the cryptocurrency wallet was protected by a unique password generated by LastPass and the service was used to store it “very important private key”. However, the cryptocurrency wallet was compromised, and if the keys were only stored on LastPass resources, then those resources are not as secure as the company claims. Users who started using Google’s password manager are increasingly receiving notifications that their LastPass credentials have been compromised, and suspicious phishing attempts have increased.
The lawsuit states that the administration of the service characterizes its security practices as “stronger than usual”, But that is not true. Notably, it wasn’t until 2018 that the service required master passwords to be longer than 12 characters; and password hashing occurs in 100,100 iterations of the PBKDF2 algorithm, although the industry standard requires 310,000 iterations. The plaintiff sees further confirmation of the facts of negligence “unnecessarily extended” Notifying users of the incident.