Password manager app LastPass told a Massachusetts federal judge Tuesday that it has reached an agreement in principle to settle a consolidated class action over its 2022 data breach.

In a notice to U.S. District Judge Patti B. Saris comes after months of mediation between LastPass and lawyers for plaintiffs in nine lawsuits brought in the wake of the hack, which potentially affected 30 million customers and 85,000 businesses that used the app to store usernames, passwords and other sensitive information.

A finalized settlement and motion for approval are expected to be filed with the court within 45 days, according to the notice, which offers no details of the proposed terms.

"We look forward to presenting the terms of the settlement to the court and believe that the outcome will present a fair resolution and path forward for individuals who were impacted by the incident including those who experienced cryptocurrency loss," said Amy Keller of DiCello Levitt LLP, interim co-lead counsel for the plaintiffs.

"While we continue to deny the claims alleged in this class action, we have agreed to a settlement to avoid the ongoing distraction and uncertainty of protracted litigation and to focus fully on serving our customers," LastPass said in a statement provided to Law360.

"The security and privacy of our users' information remain our highest priority, and we have made substantial investments to further enhance our information security teams, technologies, and processes," the company said. "We sincerely regret any stress that this incident may have caused and remain committed to building and keeping trust in LastPass."

LastPass and its Massachusetts-headquartered owner GoTo Technologies were hit with multiple proposed class actions after the hack was disclosed in September 2022. GoTo was dismissed from the case as a defendant last year, but Judge Saris allowed a number of claims against LastPass to move forward.

The breach allegedly occurred when a hacker was able to install keylogging software on the home computer of a software engineer, which captured his login credentials, according to the complaints.

That enabled the hackers to obtain access to servers that stored millions of customers' digital keyrings — data LastPass argued was still in an encrypted form, but which the plaintiffs said had already been accessed and used to commit fraud.

LastPass is represented by Christopher A. Wiech, Chelsea M. Lamb and Georgia L. Bennett of Baker & Hostetler LLP, Aaron Charfoos of Paul Hastings LLP and Raymond P. Ausrotas and William McGonigle of Arrowood LLP.

The plaintiffs are represented by James A. Ulwick and Amy Keller of DiCello Levitt LLP, Nathaniel L. Orenstein, Patrick T. Egan, Christina Sarraf and Justin N. Saif of Berman Tabacco, Nicholas A. Migliaccio, Jason Rathod and Bryan Faubus of Migliaccio & Rathod LLP, Michael R. Reese, Charles D. Moore and George Granade of Reese LLP, James J. Pizzirusso and Steven M. Nathan of Hausfeld LLP, Thomas A. Zimmerman Jr. of Zimmerman Law Offices PC, Sabita J. Soneji and Cort T. Carlson of Tycko & Zavareei LLP, Robert C. Schubert and Amber L. Schubert of Schubert Jonckheer & Kolbe LLP, Laura Van Note and Cody Bolce of Cole & Van Note, Michael Kind of Kind Law, Mark E. Dann and Brian D. Flick of DannLaw, Francis A. Bottini Jr. and Albert Y. Chang of Bottini & Bottini Inc., and Edward F. Haber, Ian McLoughlin and Patrick J. Vallely of Shapiro Haber & Urmy LLP.

The case is In re LastPass Data Security Incident Litigation, case number 1:22-cv-12047, in the U.S. District Court for the District of Massachusetts.