Communications Litigation Today was a Warren News publication.
'Lax Data Security'

Motion Would Add Another Suit to Consolidated LastPass Class Action

Another plaintiff wants to join a privacy class action against LastPass and its parent company, Go To Technologies, for an August data breach that allegedly compromised consumers’ personal identifiable information (PII), said a motion Monday (docket 1:22-cv-12047) to consolidate cases under U.S. District Judge Denise Casper in District Court for Massachusetts in Boston.

Last month, two separately filed but related cases against LastPass -- Debt Cleanse Group v. Go To Technologies (docket 1:22-cv-12047) and John Doe v. LastPass (docket 1:23-CV-10004) -- were presented as “appropriate for consolidation (see 2301300038), in an unopposed motion.

Plaintiff R. Andre Klein joined the group Monday, asking the court to enter a pretrial order consolidating the three cases along with Carter v. LastPass (docket 1:23-cv-10092). The Monday motion seeks to stay all deadlines in the cases proposed for consolidation during the pendency of the motion, including deadlines for defendants to respond to complaints. Plaintiffs request a deadline of 30 days from the filing of a consolidated complaint if the court grants the motion or 30 days from the court’s order of denial.

All the class actions claim negligence, breach of contract and unjust enrichment. If the plaintiffs had known the private information they entrusted to subscription-based password manager LastPass wouldn't be adequately protected, they wouldn’t have entrusted their private information to the company, they said. LastPass’ “lax data security measures led to the breach,” said plaintiff "John Doe," of Pennsylvania.

Plaintiff Doe, who allegedly lost $53,000 in bitcoin due to the data breach, updated his master password to more than 12 characters using a password generator, complying with LastPass’ “best practices” so he could store private keys associated with his bitcoin purchases in his LastPass vault. In November, the bitcoin “was stolen using the private keys he stored with Defendant” alleged the complaint. LastPass’ default settings only allowed up to 100,100 password iterations, said the plaintiff, “well below the standard 310,000 iterations recommendation by the Open Web Application Security Project.”

Plaintiffs noted LastPass’ attempts to shift blame from the company to its subscribers. A Dec. 22 blog post updating users on the breach said master passwords weren’t among the information stolen in the breach “because the master password is never known to LastPass and is not stored or maintained by LastPass.” That statement hasn’t been verified through discovery, said the Doe complaint, and is a “shameless attempt” by the company to shift the blame of the negative impact on users by stating “it would be extremely difficult to attempt to brute force guess master passwords” for customers “who follow our password best practices.”

Plaintiff Klein noted LastPass CEO Karim Toubba’s comment in the December post, referencing a 2018 update requiring new users to create a 12-character-minimum master password, saying “it would take millions of years to guess your master password” using generally available hacking technology. As an “extra security measure,” Toubba said, customers should “consider minimizing risk” by changing passwords of websites they stored.

Klein, a LastPass user since 2011, said LastPass didn’t require legacy users to apply strong master passwords in 2018, and the executive “appears to be setting the stage to blame Last Pass’ legacy users if data thieves are able to crack pre-2018 master passwords.” Toubba said LastPass had, at that point, notified fewer than 3% of its business customers to recommend they take action, the complaint noted.

In a September statement on the breach, Toubba said the investigation into the August data breach was “completed,” spanned four days and was intercepted and stopped by LastPass, said the Klein complaint. Toubba said there was no evidence of access to customer data or encrypted password vaults. A November update revealed LastPass’ third-party cloud storage service was breached, using information obtained in the August LastPass breach, allowing the hacker to obtain customers’ PII. In December, Toubba “finally” acknowledged core customer data was compromised as a result of both breaches, the complaint said.

The Doe complaint outlined LastPass’ alleged misconduct including failing to (1) secure class members’ private information, (2) comply with industry standard security practices; (3) implement adequate system and event monitoring; and (4) implement the systems, policies and procedures necessary to prevent the breach.