More details about LastPass’s recent hack state that it could have been prevented – if the LastPass senior engineer had updated his Plex app years ago!
It’s revealed that the compromised person’s system (a LastPass employee) where the hacker breached in, is the result of bug exploitation in the Plex app of the victim’s home computer! A patch for this has been available for years, but the user didn’t apply it, leading to a breach!
A Lazy Employee is the Cause
From being one of the best password managers out there to an infamous service in just one year, LastPass’s fate has quickly turned out to be the worst since last year. The company suffered two data breaches (1, 2) – with the latest one being more silly than ever.
As per reports, the hacker, in this case, has compromised the corporate account of a LastPass senior engineer, resulting in the threat actor moving across the company’s network and stealing its data. More details on this case have poured in now – revealing that the concerned engineer’s irresponsibility caused the actual damage.
It was reported that the hacker had compromised the engineer’s LastPass account through a vulnerable Plex software – which the victim had been using on his personal computer. The hacker was able to exploit a bug in the Plex desktop app and install a keylogger in the victim’s computer.
After attaining his credentials for the LastPass corporate account (yes, LastPass allowed this senior engineer to access their network via a home computer!), the hacker breached the LastPass network and stole the data.
Plex revealed that the exploit in question was disclosed back on May 7, 2020, and the company released a patch for it on the same day. Yet, the employee hasn’t patched it – for three years! Plex claims to have released about 75 versions after that, where this LastPass engineer ignored all of them!
Had he updated the app earlier, LastPass wouldn’t have suffered this shaming incident.