Attack Vector for Major LastPass Breach Identified As An Unpatched Plex Server

Posted on Saturday, Mar 11, 2023 by Chris Hayner

Featured in this episode of Chaos Lever

LastPass’s reputation for security and data stewardship has kind of been through the ringer over the past 18 months. We had a security breach that was massive enough to earn it a large amount of show-time a few months back. Then just a few short days ago, they were hit again.

Over a series of increasingly frustrating Press Releases, LastPass finally fessed up to what happened. The attack vector was “an earlier, unpatched version of Plex Media Server on a LastPass DevOps engineer’s home computer.” This vulnerability allowed malware with a keylogger to be installed, giving the attackers all the usernames and passwords they needed.

The press release then low-key tried to blame Plex for the breach. Plex responded by saying that the CVE in question was from 2020, resolved the same day it was announced, and was updated in Plex “roughly 75 versions ago.” While there is plenty of blame to point at LastPass, this is also a reminder that internet-facing services need to be taken seriously at all times- even when it’s just a service that you use to watch TV.

Regardless of the LastPass service security failures- and they were many- this is just bad personal security hygiene. If this employee had kept Plex updated, this breach wouldn’t have happened. If Plex was on its own server that was on its own isolated VLAN? Then this breach couldn’t have happened. Defense in depth, people- and separate your servers from your desktops?