Consumer Electronics Daily was a Warren News publication.
'Significant Damages'

LastPass Hid Basic Data Breach Information From Customers, Regulators, Say Plaintiffs

The motion of GoTo Technologies and LastPass to dismiss the fraud complaint arising from a 2022 data breach should be denied in its entirety, said the plaintiffs’ response in opposition Wednesday (docket 1:22-cv-12047) in U.S. District Court for Massachusetts in Boston.

The defendants argued last month that the plaintiffs lack standing and failed to plead facts sufficient to constitute plausible claims under Federal Rules of Civil Procedure 12(b)(6) (see 2309200032). The case is “not your typical data breach,” defendants said, saying, the indicator of such litigation typically is the compromise of personally identifiable information (PII) or sensitive financial data. “No PII or sensitive data was compromised” by the LastPass incident, they said, and absent that, plaintiffs “merely assume or speculate that their PII and sensitive data was compromised, which dooms their Complaint.”

In their response, plaintiffs said password manager company LastPass doesn’t dispute that cybercriminals were able to steal “copies of customers’ entire LastPass ‘vaults,’ containing colossal amounts of data belonging to more than 25 million customers,” including plaintiffs’. Instead, they claimed in their memorandum in support of their motion to dismiss that because customer vaults were encrypted, plaintiffs’ “sensitive data was unimpacted” by the breach, it said. Plaintiffs allege defendants “failed to implement industry-standard data security, that their personal and sensitive information was exfiltrated, and that cybercriminals were able to access the stolen vaults and decrypt data,” said the response.

Defendants acknowledged that plaintiffs are susceptible to “brute force” and phishing attacks from data criminals with “limitless time to crack the stolen vaults in their possession,” said the response. Customers, including those with old master passwords, “cannot protect themselves by changing passwords now, because the offline copies of the stolen LastPass vaults are protected by the stale passwords that were active when the vaults were stolen,” it said. Many customers “suffered significant damages from and losses as a direct result of this breach,” it said.

LastPass “withheld basic information about the data breach” from its customers and “seemingly from regulators and state authorities,” said the response. Defendants’ “pattern of obfuscation” leaves plaintiffs and class members “in the dark, unable to adequately protect themselves from the consequences of the data breach,” it said.

Instead of helping customers, the defendants want the case dismissed “to avoid meaningful discovery into the matter," and for the court to "simply take them at their word,” the response said. But plaintiffs “plead cognizable injuries and allege sufficient facts to allow for the plausible and reasonable inference” that LastPass’ “failure to safeguard” plaintiffs’ and class members PII resulted in “actionable damages,” it said.

LastPass published its most recent update on the breach March 1, saying the “threat actor infiltrated LastPass by stealing source code and technical data from the company in August 2022,” said the response. The company admitted it prematurely declared the incident closed but later learned information stolen in August 2022 was leveraged to hack a LastPass employee, the response said. “For the first time, LastPass acknowledged the ‘data accessed [by the threat actor] from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data,’” it said. Among data accessed, LastPass identified “customer metadata, and backups of all customer vault data.”

Defendants’ official statements about the breach have been “misleading, false, and continue to omit important information," said the response. Despite a “professed commitment to transparency,” LastPass failed to notify plaintiffs, class members or relevant authorities about the full nature of the breach and “repeatedly downplayed and minimized the incident,” it said. To date, neither GoTo nor LastPass has provided basic information about the breach, including when it began, how long it persisted or why LastPass wasn’t able to detect it, it said. Plaintiffs “still do not know what information was exposed or how long hackers have had it, leaving unclear what further steps -- beyond those already recommended by the Defendants -- they need to take to protect themselves,” it said.