LastPass' Failure to Warn Users Led to Theft of Digital Assets After Data Breach: Suit

An unauthorized party compromised a LastPass engineer’s corporate laptop Aug. 8-12, 2022, and accessed credentials to exfiltrate LastPass source code, technical information and certain LastPass “internal system secrets,” said the complaint Thursday (docket 1:24-cv-10874) in U.S. District Court for Massachusetts in Boston. Then Aug. 12-16, the attackers used information acquired in the initial attack “to target and compromise a LastPass senior development engineer's computer, it said.

The threat actor “copied information from backup" that contained basic customer account information and related metadata including company names, end-user names, billing and email addresses, phone numbers, and the IP addresses from which customers were accessing the LastPass service, the complaint said, citing a company notice. Most important, it said, attackers acquired backup copies of the customer Vault database LastPass had told users was “encrypted and inaccessible." The database contained “all the sensitive and confidential information" that "millions" of LastPass customers stored in their "supposedly secure" LastPass Vaults, it said.

The plaintiffs in the case -- Jason Beckerman, a resident of Delray Beach, Florida; Robert Lee of Buffalo Grove, Illinois; Reda Elamri, Kansas City, Missouri; and Seth Arnoff, Yorkville, Illinois -- are former LastPass users who used the Vault to store their confidential financial information and relied on its representations that information stored on the LastPass Vault was secure from unauthorized access, the complaint said.

After the breach, the plaintiffs chose to continue using LastPass based on the defendant’s representations about the integrity of information stored in its vaults from Aug. 25, 2022, to when their digital assets “were stolen,” the complaint said.

LastPass repeatedly reassured the plaintiffs that their information was secure as long as their master passwords were configured according to its recommendations, the complaint said. But the company didn’t force them to implement certain standards when creating a password before Aug. 26, 2022, or require them to upgrade old passwords, it said. A user who configured his LastPass password based on previous guidance “would not have known or suspected that their LastPass vault was vulnerable to a brute force attack at the time the customer vault backup was stolen,” it said.

In September 2022, LastPass advised users that their information was secure and that the data breach didn’t involve access to their data or encrypted password vaults, the complaint said. The company assured users that its controls prevented the threat actor from accessing encrypted vaults and that without the master password, it wasn’t possible “for anyone other than the owner of a vault to decrypt vault data as part of our Zero Knowledge security model,” it said.

Though it acknowledged in November that attackers were able to access “certain elements of our customers’ information," LastPass still reassured users that their data was secure because their passwords were safely encrypted; it didn’t advise them to remove sensitive information from their vaults, the complaint said. On Dec. 22, LastPass acknowledged that unauthorized actors “did access and exfiltrate a backup copy of customer vault data but again reassured users that their data was safely encrypted,” the complaint said.

LastPass' final update in March also said vault data was encrypted and could be decrypted only with a unique key derived from their password; it also recommended that users securely configure their passwords and use multifactor authentication on their accounts, the complaint said. But those measures wouldn’t have prevented the unauthorized access to the information on plaintiffs’ vaults “because changing a password or implementing multi-factor authentication would not affect the attackers’ attempts to access the offline backup copy of customer LastPass Vaults,” it said.

The Boston-based defendant assured the plaintiffs that it would have taken “millions of years to guess [their] master password using generally available password-cracking technology,” so they continued to rely on their LastPass Vault as the “sole” and “safest” location to store their private keys, said the complaint.

LastPass “was well aware of the potential for access to” users’ LastPass Vault as least as early as November when it acknowledged that user data was exfiltrated in the breach, said the complaint. It also “presumably knew” that its senior developer’s access credentials had been used to exfiltrate the user vault database, the complaint said. The company couldn’t have been unaware that actions users took to update their passwords or protect their accounts would have no effect on the exfiltrated Vault backup, it said.

Users publicly posted on Twitter and elsewhere, and reported to LastPass directly, that “despite strict security precautions, their digital assets had been drained from their wallets” following the breach, the complaint said. Security researchers, too, publicly linked the theft of LastPass users’ digital assets and “detailed the methodology that they used to conclude that private keys were acquired through the data breach,” the complaint said.

The complaint cited an article from cybersecurity expert Krebs on Security Sept. 5 saying researchers reliably linked “the theft of more than $35 million in crypto from more than 150 confirmed victims, with roughly two to five high-dollar heists happening each month since December 2022.” The researcher shared that information with LastPass prior to publication, “and LastPass knew of the connection between the compromise of private keys and the LastPass platform but nevertheless knowingly and willfully failed to correct their earlier statements,” said the complaint. The company also failed to warn plaintiffs that their private keys and sensitive information stored in their vaults “was vulnerable to compromise” as a result of the breach, it said.

Beckerman claims 523.14 Ethereum cryptocurrency, valued at $4.75 million, was transferred from his digital wallet to a wallet controlled by an unknown third party, the complaint said. Lee claims 152.35 Ethereum, 0.026 bitcoin and 9,577.09 Golem were transferred from his digital asset wallets to a third party’s wallet. Elamri claims a loss of 45.104 Ethereum, and Arnoff claims a loss of 12,700.27 Tomb, 597,009.5 Retreeb, 15,153,436 Zookeeper, 0.0044 Deus Finance, 0.524 Stader, 0.00863 Ethereum, 8.374 LiquidDriver, 90.54 BeethovenX and 9.054 Equalizer Dex tokens, the complaint said.

All the plaintiffs maintain the private keys stored only in their LastPass vaults were used in the transfer of digital assets, the complaint said. Had LastPass warned the plaintiffs that the information stored on their vaults were vulnerable to access, they would have transferred it to a “new wallet with a secure private key” and prevented the loss of their assets, it said.

The plaintiffs’ counts of action include violations of the Massachusetts Protection Act and fraudulent misrepresentation. They request an award of actual, compensatory, statutory, nominal and punitive damages; attorneys’ fees and costs; and pre- and post-judgment interest.