The hack that led to a data breach at password vault LastPass was caused by an employee who had not updated specific third-party software at home for two years.
LastPass announced in August 2022 that it was receiving hackers. Initially, it sounded that no customer data or password vaults had been leaked. However, it came back to that by December. The data is protected with 256-bit AES encryption unless someone can guess your master password.
Now it is clear how that hack could have happened. LastPass had previously stated that the cause is external software on an employee’s PC. By running malware there, keystrokes could be collected. However, it was not initially said which software it involved.
PCMag now knows that it concerns a vulnerability in Plex Media Server, Software to stream your media files on various devices, among other things. But it is not a recent problem. Instead, PCMag learned that it is CVE-2020-5741, an issue that Plex had already fixed with an update in May 2020.
The employee has, therefore, not updated the software for more than two years; in the meantime, 75 new versions have been published. LastPass also confirmed to PCMag that it was Plex, with no further details about the exact leak or why the employee had not performed any updates.
The question is whether the attacker has administrator access and can upload malicious code to the camera upload function. How admin access was possible is not entirely clear.
PCMag states that up-to-date software in your home environment is essential to prevent these incidents. But it also points to LastPass, which gave employees access to compassionate customer data from their home computers.