LastPass' corporate vault stolen via an employee's hacked Plex

I know many folks here use both, I found this news rather stunning:

According to a person briefed on a private report from LastPass who spoke on the condition of anonymity, the media software package that was exploited on the employee’s home computer was Plex. Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident commenced. The breach allowed the threat actor to access a proprietary database and make off with password data, usernames, and emails belonging to some of its 30 million customers. Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or on-premises media servers.

It's not clear if the Plex breach has any connection to the LastPass intrusions. Representatives of LastPass and Plex didn’t respond to emails seeking comment for this story.

I am in the process of changing all my vaulted passwords... Much easier said than done!

This is why I self-host my own Vaultwarden server.

And I'm no programmer but these concerns probably help explain maddox's response here:

"Slippery slope" indeed. I appreciate the most conscientious approach possible. Convenience and ease should never supersede basic security. Do it right, or don't do it at all.

Yuck. Thanks for this info.
I wonder how was plex hacked on this LastPass employee’s machine?

Wouldnt it would be ironic if the Lastpass employee shared their plex password….

Im on 1password, for years, but now looking into alternatives.
Anyone try STRONGBOX

Is this a password manager ?

Yes. Vaultwarden is a reverse-engineered password manager that uses Bitwarden's API.

Of course, if you followed the link I put in my post, this would have been fully explained.

Why when you answer a question you always have to add a sarcastic remark to your posts ... I prefer you not answer in the future if you are going to be sarcastic. A simple yes would have sufficed.

Nor will I be asking you any more questions.
Thank You

Bitwarden is looking pretty good now that the server and clients support Argon2

From the article linked above: Plex server had a vulnerability “which enabled remote code execution capability and allowed the threat actor to implant keylogger malware”.

Afaict that vuln was patched in 2020 so either they hadn’t updated Plex in a while or this is a new RCE vulnerability.

Having worked in IT security, when you make things too inconvenient, you will find that people will do everything imaginable to avoid the inconvenience and the result is terrible security. Good security dose not create a denial of service which is in it's self a security incident. Good security is easy to use and just plane works. Passwords are unfortunately too simple to get around and the world is switching to two factor authentication(2FA). 2FA can feel super simple when a device is fingerprinted or certificates are used so that it's not every time.

Well in this case I don't think it was inconvenience. The guy was running the family jewels of a password vault (that supposedly only 4 people in the company had access to) on a home computer that was also running a hacked version of Plex that allowed them to insert a key logger to get LastPass highly secure login credentials. The rest is history. Who the heck runs something THAT secure on the same machine running a media server. I work from home for decades and I would never ever, ever, do something like this because its just blatantly stupid on all levels and had to have violated his security guidelines at work.

I was a customer of Lastpass for years. Over Christmas I spent many, many days going through 800+ logins/passwords one by one to establish and change each one and canceled my account when I was done. I can't see how there is any way this company will or should survive this.

Where was this disclosed? I’d love to read more details.

Thanks so much for the heads-up. I've also used LastPass for years from as early as I remember them being in existence, but I've been reluctant to use ANY kind of manager for accessing anything financial, so my risk may not be that high, but at last check it did have the passwords of 470 sites - primarily community or work-related sites - many of which I did not keep the passwords anywhere else.

I guess it's high time for me to look into something else more secure and updated. What did you end up switching over to?

I'll have to find the quote. It just broke in the news yesterday so it should be relatively easy to find.

Yes, but was it a "hacked version of Plex" that the employee had installed?

Or was it just the regular release of Plex, that the hackers were able to remotely hack into?

When LastPass (LogMeIn) was purchased by two private equity firms a few years ago and immediately raised prices, I was done with them. A PE firm is interested in profits above all else, not a good recipe for security.

I moved over to the open source BitWarden and haven't looked back.

I don't know the answer or will anyone probably really ever know.

I had a situation with QNAP where I believe they were hacked, but they would never admit that. I had two devices infected by malware at around the same time and both were behind 2 routers with nothing opened up to the outside world. I and some other users felt pretty confident we found that it was infected via a firmware update, but they would never ever say that. I now have Synology.

As far as I know, LastPass can not access my accounts and passwords. To do so, they need the master key to my account, which they do not have.

A friend of mine's wife lost her LastPass password and LastPass could not help them recover it. She had to start over with a new LastPass vault.

In reading the article, hackers got the employee's passwords to LastPass accounts with Amazon. They may have gotten a copy of the LastPass vault, but unless they have every user's individual master key, they can not get at that user's data.

Of course, the hackers know who the users are. And if a user used a weak master key that the hackers can guess, (or brute force) they then can access the individual's accounts and password.

The best advice I have heard about picking a master key is to use something personal that CAN NOT be searched for on the web. Pick something that only you know and is not recorded on the web.

We all have someone we think of as family, but that we are not related to. Use their name as the master key and the hint being the relationship.
Example: You do not have any children, but your hint is my son's name. Use the person's last name as the master key. As long as the relationship is not on the web (i.e. social media accounts), no one will ever guess it and you will never forget it.

Although Plex has stated they are unaware of an unpatched RCE vulnerability, they had one in 2020 so the IMO the most likely scenarios are:

1. The LastPass employee was running an older unlatched version of Plex

2. There’s a zero day (aka new & unknown to Plex) RCE vulnerability.

I’d bet it’s #1 since the LastPass employee already demonstrated poor judgment / security practices .

There’s no reason to think that this involved a “hacked version of Plex”. Unless you meant a vulnerable version. For those of you running Plex that’s an important distinction.

Oh, I suspect we will know this and more before too long. LastPass almost certainly knows the version of Plex that was running and that will likely lead to the answer.

If I was a Plex user I’d make sure I was running the latest version and keep any eye on this: