LastPass Hacked Because Employee Didn’t Install a Software Update

Earlier this week, LastPass disclosed that a major security breach last year that saw hackers steal customers’ encrypted password vaults, personal information, and more was orchestrated by installing malware on one employee’s home computer.

The popular password manager said that threat actors used information obtained from an earlier hack in August, in combination with access credentials gleaned from a keylogger that was installed on the DevOps engineer’s computer, to break into LastPass’s cloud-based storage and steal customer data.

According to a report from PCMag, however, the whole thing could have been avoided entirely — or at least delayed — if the employee in question had simply installed a software update.

While LastPass said that hackers exploited a vulnerability on a “third-party media software package” on the engineer’s computer to plant the keylogger, PCMag recently learned that the target was Plex Media Server software. However, the exploited vulnerability was almost three years old and had already been patched, per Plex.

“An attacker who already had admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” Plex said when it patched the security flaw, known as CVE-2020-5741.

Unfortunately, the LastPass DevOps engineer was running an older, still vulnerable version of Plex.

“At the time, as noted in that post, an updated version of the Plex Media Server was made available to all (7-MAY-2020),” said a spokesperson for Plex. “Unfortunately, the LastPass employee never upgraded their software to activate the patch. For reference, the version that addressed this exploit was roughly 75 versions ago.”

Plex told PCMag that it was unsure as to why the LastPass employee didn’t update their Plex Media Server, since the company “will provide notifications via the admin UI about updates that are available, and will also do automatic updates in many cases.”

The incident demonstrates just how important it is to keep all the software on your computer up-to-date. However, it should be noted that the hackers could only have exploited the vulnerability in question if they already had admin access to the engineer’s Plex Media Server account. This indicates that they had already gained access to the employee and, therefore, could have found another way to install the keylogger on their computer.

LastPass said earlier this week that the hackers were able “to capture the employee’s master password as it was entered, after the employee authenticated with MFA (multi-factor authentication), and gain access to the DevOps engineer’s LastPass corporate vault.”

On the company’s part, allowing an employee to access sensitive, mission-critical data from an unsecured home computer was definitely a lapse in security.

LastPass’s investigation into the breach found that the hackers were able to access and steal data, including customers’ encrypted password vaults, from the company’s cloud storage servers for over two months, between August 12, 2022, and October 26, 2022.

Even though LastPass is taking major steps to overhaul and improve its security, the hack — one of the largest to ever hit a password manager — has shaken user confidence in the company.

P.S. Help support us and independent media here: Buy us a beer, Buy us a coffee, or use our Amazon link to shop.