LastPass Data Breach Shows Why Plex Updates Are Important

Maor_Winetrob / Shutterstock.com

Published Mar 6, 2023

Andrew Heinzman is a seasoned tech writer with over half a decade of experience. He specializes in delivering insightful tech news and detailed product reviews, particularly focusing on audio and video technology, as well as computers and smartphones. His journey in tech writing includes a two-year stint as the News Editor at Review Geek, the former sister site of How-To Geek.

Throughout his career, Andrew has consistently provided readers with valuable insights and up-to-date information on the latest developments in the tech world, earning recognition for his clarity, depth, and relevance. In his free time, Andrew likes to explore music and read books, just as he did when earning his bachelor's degree in English literature.

followed

Followed

Here is a fact-based summary of the story contents:

Try something different:

LastPass is still dealing with last year's data breach, which exposed the personal information and passwords of some customers. But new information about this story reminds us why every computer user and business needs to take security seriously.

On February 28th, LastPassfinally explained how its data breach occurred. A hacker initially targeted "vulnerable third-party media software" on a DevOps engineer's personal home computer, installing a keylogger to collect the employee's master password. This DevOp happens to be one of four LastPass employees who can access the corporate vault, so it's safe to assume that this was a targeted hack.

Yes, the employee targeted in this hack owned a corporate laptop (which has since been replaced). Some reports state that the employee used their personal computer to access work resources, though this hasn't been confirmed by LastPass.

Here's the interesting thing; the "vulnerable third-party media software" exploited in this hack was Plex. Initial news of Plex's involvement came courtesy of leakers (via Ars Technica), but was later confirmed by Plex on March 1st.

When the Ars Technica report came out, Plex said that it hadn't been contacted by LastPass. But things have changed---LastPass tells Plex that the exploited vulnerability was CVE-2020-5741. Plex tells Review Geek that this exploit was disclosed and patched in May of 2020, at least 2.5 years before the LastPass breach.

Clearly, the targeted LastPass employee neglected to update their Plex server for at least two years. There have been nearly 75 Plex updates since the CVE-2020-5741 exploit was patched. This is a serious failure of both personal and corporate security; as Plex notes, update notifications are provided "via the admin UI," and automatic updates are quite common.

But in a way, this failure is kind of understandable. Some Plex updates need to be performed manually, and as any Plex user knows, these updates may introduce problems or force you to redo some of your media library's metadata. The LastPass employee targeted in this hack may have failed to realize that an update needed to be installed manually (though there's a chance that they intentionally avoided updating).

Take this as a lesson; any part of a network can compromise your security, or even the security of others. You need to keep products up to date, and if a device in your home suffers from an unpatched exploit, you should take it offline. (Also, Plex needs to improve its update process. I know this from experience.)

Unfortunately, tech corporations don't know how to lead by example. LastPass bears the responsibility here, and it hasthe track record to prove that it can't take security seriously. We've reached out to LastPass for a comment and are waiting for a response.

Source:LastPass, Plex

Followed