The LastPass Data Breach: Failure to Update Plex Software by Engineer Resulted in a Major Security Breach.
LastPass Breach Resulted from Failure to Update Plex Software.
A recent breach at LastPass, a popular password management service, has been attributed to the failure of one of its engineers to update Plex software on their home computer. This serves as a reminder of the importance of keeping software up-to-date to avoid potential security risks.
The breach occurred when unidentified actors leveraged information stolen from a previous incident before August 12, 2022, along with details from a third-party data breach and a vulnerability in a third-party media software package. This enabled the attackers to steal partially encrypted password vault data and customer information.
The second attack was specifically targeted at one of the four DevOps engineers, who was singled out by keylogger malware on their home computer. The malware obtained the engineer’s credentials, allowing the attackers to breach the cloud storage environment.
The vulnerability that allowed this to happen was CVE-2020-5741, a deserialization flaw that impacted Plex Media Server on Windows. The flaw allowed authenticated attackers to execute arbitrary Python code in the context of the current operating system user. The flaw was discovered and reported by Tenable in March 2020 and was patched by Plex in version 1.19.3.2764 released on May 7, 2020. However, the LastPass employee failed to activate the patch by not upgrading their software, which was roughly 75 versions ago.
LastPass and Plex have released statements urging users to keep their software up-to-date to prevent potential security breaches. This serves as a cautionary tale for individuals and businesses alike about the importance of software updates and staying vigilant against potential security risks.