PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

LastPass Faces Class-Action Lawsuit Over Password Vault Breach

The plaintiff blames LastPass for a loss of $53,000 in cryptocurrency, and putting his security and privacy at risk.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

A LastPass user has filed a class-action lawsuit against the password management provider for failing to prevent a recent, staggering data breach.

The lawsuit, filed this week in the US district court in Massachusetts, comes from an anonymous LastPass user named John Doe, who originally signed up for the service in May 2016. He’s now demanding the company pay in damages after LastPass announced last month it had lost a copy of every users’ password vaults to a hacker. 

“Plaintiff and the Class are anxious and alert as they are at a substantial risk of being bombarded with phishing emails and other scams, in addition to the fraud they have already suffered,” reads the lawsuit, which is suing LastPass for negligence, breach of contract, and deceptive acts.   

LastPass, which has over 30 million users, did not immediately respond to a request for comment. But the company has been trying to downplay the severity of the breach by saying the hacker only looted the encrypted password vaults for users. Hence, the hacker still needs the master password—which only the user knows—to access the individual password vaults. 

However, the class-action lawsuit points out the hacker stole unencrypted personal information about users, including billing addresses, email addresses, telephone numbers, along with the website URLs assigned to each encrypted password. The hacker could easily exploit this information to target LastPass users with phishing emails designed to scam them. 

Recommended by Our Editors

How We Test Password Managers
How We Test Password Managers
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely

The lawsuit also takes issue with LastPass’s claim that users ensnared in the breach remain protected because the company has no knowledge of their master passwords. “Not only has this statement not been verified through discovery, but it is also a shameless attempt by LastPass to shift the blame of the Data Breach’s resulting negative impact on Plaintiff and Class members,” the lawsuit argues. 

The plaintiff behind the legal action is concerned a hacker could eventually guess the master passwords to individual vaults, citing advancements in password-cracking algorithms powered by today’s GPUs. In addition, the user suspects the breach at LastPass may have led a hacker to steal $53,000 in bitcoin from him over Thanksgiving weekend, since the private keys to his cryptocurrency transactions were stored on LastPass.

It was only on Dec. 22 when LastPass fully disclosed the disturbing scale of the breach, which was sourced back to a hacker who initially infiltrated the company in August. 

“If Defendant had disclosed the full extent of the Data Breach in August instead of waiting months to do so, Plaintiff and Class members would have been on heightened alert and changed their passwords, thus avoiding the thefts that ensued,” the lawsuit adds. (That said, the lawsuit offers no evidence to show his bitcoin was lost due to hackers exploiting the breach at LastPass.)

In response, the class-action lawsuit is demanding the court force LastPass to apply better security practices, in addition to paying affected consumers damages.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio