in Newswire Published on December 6, 2022

LastPass’s ‘Deficient’ Cybersecurity Caused 2022 Data Breach, Class Action Claims [UPDATE]

Last Updated on February 4, 2026

Debt Cleanse Group Legal Services, LLC v. GoTo Technologies USA, Inc. et al

Filed: December 2, 2022 ◆§ 1:22-cv-12047

LastPass US LP and GoTo Technologies USA face a class action that claims the companies’ inadequate cybersecurity practices resulted in a data breach in August 2022.

Defendant(s)

GoTo Technologies USA, Inc. LastPass US LP

Law(s)

State(s)

Massachusetts

February 3, 2026 — $8.2M LastPass Settlement Green-Lit, Wrapping Up Data Breach Lawsuit

LastPass has agreed to an $8.2 million settlement to resolve the data breach class action lawsuit detailed on this page.

Learn more about the deal with ClassAction.org’s write-up on the LastPass data breach settlement.

Don’t miss out on class action settlement news like this. Sign up for ClassAction.org’s free weekly newsletter.

LastPass US LP and affiliate GoTo Technologies USA face a proposed class action that claims the companies’ inadequate cybersecurity practices resulted in a data breach in August 2022, compromising customers’ financial and personal information.

The 31-page case alleges the defendants have falsely advertised that LastPass’s password management service utilizes “robust” data security procedures. Based on these promotions, the plaintiff, Debt Cleanse Group Legal Services, purchased an enterprise subscription to LastPass in 2018 so its employees could use the program to store passwords, the filing claims.

Although the service purports to offer superior data protection, the defendants employed “deficient and unreasonable” cybersecurity practices, such that an unauthorized third party infiltrated LastPass and GoTo’s shared network in August of this year, the complaint contends. Per the suit, the system contains sensitive customer data, including financial account information, names, addresses, contact information and account passwords, that has likely been copied, sold and used for criminal activity such as identity theft or fraud.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to the case, LastPass discovered the data breach in August and released public statements on August 25 and September 15, relaying that no customer information was under threat. However, in an “unreasonably” delayed notification published on November 30, LastPass admitted that “the criminals accessed certain elements” of customer information, the suit says. The notice also stated that consumers’ passwords were still secure, which is a report based on LastPass’s “incomplete and ongoing” investigation, the filing charges.

“Each new notice revealed that the Data Breach was worse than before, while continuing to falsely allay reasonable concerns that Customer Information was taken or the Data Breach was serious,” the case states.

The case relays that the plaintiff would not have purchased LastPass’s service had it known that the defendants would not properly safeguard their network.

The lawsuit looks to cover anyone whose customer information was accessed in the LastPass and GoTo data breach discovered in August 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.

Case Spotlight

Video Game Addiction Lawsuits

If your child suffers from video game addiction — including Fortnite addiction or Roblox addiction — you may be able to take legal action. Gamers 18 to 22 may also qualify.

Learn more:Video Game Addiction Lawsuit

Depo-Provera Lawsuits

Anyone who received Depo-Provera or Depo-Provera SubQ injections and has been diagnosed with meningioma, a type of brain tumor, may be able to take legal action.

How Do I Join a Class Action Lawsuit?

Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?

Read more here: How Do I Join a Class Action Lawsuit?