Password Manager LastPass Sued Over Allegedly Misleading Data Breach Notices


Last week, an anonymous plaintiff filed a putative class action against LastPass US LP (LastPass) in the District of Massachusetts in connection with a data breach that affected the password management tool revealed over the summer.

The filing describes Defendant as a “password and identity management services company” and seeks relief on behalf of a nationwide class of “All persons whose personal information was accepted, compromised, copied, stolen and/or exposed as a result of the LastPass Data Breach.”The plaintiff says the victims suffered from a “massive months-long data breach that began in August 2022 [that] impacted the highly sensitive data of potentially millions of LastPass users…”

Plaintiff quotes the entirety of an August 25, 2022 notice from LastPass to its customers regarding the breach. The communication states in part that “After initiating an immediate investigation [of ‘some unusual activity within portions of the LastPast development environment’], we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”  

Plaintiff then quotes a portion of a subsequent December 22, 2022 communication, which Plaintiff describes as an “updated notice,” in which in which LastPass disclosed that “an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022.”

Plaintiff alleges “upon information and belief” that hackers were able to copy sensitive information of millions of users, which included “names, end-user names, billing addresses, email addresses, telephone numbers, IP addresses from which customers were accessing the LastPass service, and customer vault data where certain unencrypted data was stored, including website usernames and passwords, secure notes, and form-filled data.”

Plaintiff alleges that “During the delay between the initial August notice irresponsibly stating that users faced no significant risk and the December notice, the risks and damages to Plaintiff and Class were only increasing.”

Plaintiff asserts six causes of action: Negligence; Breach of Contract/Breach of Implied Covenant Good Faith and Fair Dealing; Breach of Implied Contract (which is pled in the alternative to the Breach of Contract cause of action); Unjust Enrichment; Breach of Fiduciary Duty; and Declaratory Judgment and Injunctive Relief.

The plaintiffs seek “damages, compensatory damages and/or restitution or disgorgement.” Regarding non monetary, injunctive and declaratory relief, Plaintiff requests, among other things, that LastPass be compelled to implement appropriate procedures regarding data handling and to “disclose with specificity all types of information compromised during the Data Breach.”

Plaintiffs counsel are Migliaccio & Rathod, LLP and Pastor Law, PC.