LastPass is still dealing with last year’s data breach, which exposed the personal information and passwords of some customers. But new information about this story reminds us why every computer user and business needs to take security seriously.
On February 28th, LastPass finally explained how its data breach occurred. A hacker initially targeted “vulnerable third-party media software” on a DevOps engineer’s personal home computer, installing a keylogger to collect the employee’s master password. This DevOp happens to be one of four LastPass employees who can access the corporate vault, so it’s safe to assume that this was a targeted hack.
Yes, the employee targeted in this hack owned a corporate laptop (which has since been replaced). Some reports state that the employee used their personal computer to access work resources, though this hasn’t been confirmed by LastPass.
Here’s the interesting thing; the “vulnerable third-party media software” exploited in this hack was Plex. Initial news of Plex’s involvement came courtesy of leakers (via Ars Technica), but was later confirmed by Plex on March 1st.
When the Ars Technica report came out, Plex said that it hadn’t been contacted by LastPass. But things have changed—LastPass tells Plex that the exploited vulnerability was CVE-2020-5741. Plex tells Review Geek that this exploit was disclosed and patched in May of 2020, at least 2.5 years before the LastPass breach.
Clearly, the targeted LastPass employee neglected to update their Plex server for at least two years. There have been nearly 75 Plex updates since the CVE-2020-5741 exploit was patched. This is a serious failure of both personal and corporate security; as Plex notes, update notifications are provided “via the admin UI,” and automatic updates are quite common.
But in a way, this failure is kind of understandable. Some Plex updates need to be performed manually, and as any Plex user knows, these updates may introduce problems or force you to redo some of your media library’s metadata. The LastPass employee targeted in this hack may have failed to realize that an update needed to be installed manually (though there’s a chance that they intentionally avoided updating).
Take this as a lesson; any part of a network can compromise your security, or even the security of others. You need to keep products up to date, and if a device in your home suffers from an unpatched exploit, you should take it offline. (Also, Plex needs to improve its update process. I know this from experience.)
Unfortunately, tech corporations don’t know how to lead by example. LastPass bears the responsibility here, and it has the track record to prove that it can’t take security seriously. We’ve reached out to LastPass for a comment and are waiting for a response.
Source: LastPass, Plex