You can see previous news in the old version of the news blog. Watch
LastPass sued over data breach.
A resident of the US state of Pennsylvania filed a lawsuit against LastPass, which received the status of a collective lawsuit - in the past year, the resources of the service were hacked twice, although its administration tried to assure users of the safety of data.
According to the plaintiff, as a result of the LastPass hack in November, bitcoins totaling $53,000 were stolen from him, and stories about numerous “hijackings” of accounts on various resources are increasingly appearing on the Internet, which is also associated with the incident.
The problems started in August when unknown people stole technical data from LastPass servers. In November, the attackers returned and, using previously stolen information, brought the matter to an end, gaining access to users' password vaults. The LastPass administration tried to dispel concerns by stating that the data in the vaults is encrypted and can only be read if there are user master passwords, which are not stored on the service's servers.
The plaintiff alleges that the cryptocurrency wallet was protected by a unique password generated by LastPass, and the service was used to store "extremely important private keys." However, the cryptocurrency wallet was compromised, and if the keys were only stored on LastPass resources, then these resources are not as secure as the company claims. Users who have started using Google's password manager are increasingly receiving notifications that their LastPass credentials have been compromised, and suspicious phishing attempts have increased.
The lawsuit says that the administration of the service characterizes its security methods as “stronger than usual”, but this is not true. In particular, the service began requiring master passwords to be longer than 12 characters only in 2018; and password hashing is done in 100,100 iterations of the PBKDF2 algorithm, although the industry standard requires 310,000 iterations. Another confirmation of the fact of negligence, the plaintiff considers the “unreasonably long” notification of users about the incident.