More details about LastPassโs recent hack state that it could have been prevented โ if the LastPass senior engineer had updated his Plex app years ago!
Itโs revealed that the compromised personโs system (a LastPass employee) where the hacker breached in, is the result of bug exploitation in the Plex app of the victimโs home computer! A patch for this has been available for years, but the user didnโt apply it, leading to a breach!
A Lazy Employee is the Cause
From being one of the best password managers out there to an infamous service in just one year, LastPassโs fate has quickly turned out to be the worst since last year. The company suffered two data breaches (1, 2) โ with the latest one being more silly than ever.
As per reports, the hacker, in this case, has compromised the corporate account of a LastPass senior engineer, resulting in the threat actor moving across the companyโs network and stealing its data. More details on this case have poured in now โ revealing that the concerned engineerโs irresponsibility caused the actual damage.
It was reported that the hacker had compromised the engineerโs LastPass account through a vulnerable Plex software โ which the victim had been using on his personal computer. The hacker was able to exploit a bug in the Plex desktop app and install a keylogger in the victimโs computer.
After attaining his credentials for the LastPass corporate account (yes, LastPass allowed this senior engineer to access their network via a home computer!), the hacker breached the LastPass network and stole the data.
Plex revealed that the exploit in question was disclosed back on May 7, 2020, and the company released a patch for it on the same day. Yet, the employee hasnโt patched it โ for three years! Plex claims to have released about 75 versions after that, where this LastPass engineer ignored all of them!
Had he updated the app earlier, LastPass wouldnโt have suffered this shaming incident.