LastPass' corporate vault stolen via an employee's hacked Plex

And the fact that this employee, who was one of 4 that had access to these high security accounts, should have never crossed pass with anything resembling Plex on the same machine. This is about as security aware as pushing a wheelbarrow full of cash down the middle of the street in a gang infested area of town at 3:00am alone and unarmed.

This was from several months ago. The hacker was able to download copies of the customer vaults. The vaults were not completely encrypted. Account urls were plain text. Given this situation a hacker has no constraints and can unleash whatever brute force attempts they want with no operational system "slow downs"; and given plain text of what the accounts are they can target users with high value accounts and also formulate very detailed phishing attempts using this information to help the cause. Again, totally irresponsible. And even if you change the passwords and leave LastPass, this information is still in the hands of the hackers tied to you as the user that they can use to go after you with a phishing scheme.

Also, mitigating this for myself with 800+ login accounts in LastPass, I had to research each one individually. The easiest ones were the ones I was able to change the password on. The more time consuming were ones that didn't show up as a valid url (which I had to research to make sure the account wasn't still tied to something) or the ones the password had expired (which I had to research to see if I was able to possibly change the password with the access I still had). This took a huge amount of time.

LastPass is just no longer viable as a trusted entity for such an important security role.

You have to assume it is inevitable that a hacker will eventually be able to brute force their way into guessing your master key. It may be 6 months from now or it may be 6 years from now, but if hackers have a copy of the vault, they will eventually find a way in.

First off, passwords should never consist of actual words. Those are just ripe for dictionary attacks.

Secondly, why in the world was a LastPass employee using his own personal machine to access such high security information. Give the guy a fricken laptop that's locked down at least.

The dangers of enabling remote access?

Apparently the cause of the LastPass incident was LastPass failure to have employees maintain a sterile environment. One of the requirements for a sterile environment is that dedicated company computers be used to busyness work and nothing else. The employ computer that was compromised was his personal computer. A clear violation of maintaining a sterile environment. LastPass failed to train and/or enforce this critical security procedure. I hope that they have now hired a competent IT security company to assess there environment and then address all issues found. Then do annual compliance audits.

As for Plex being involved, Plex has not announced what there password compromise was. The important thing for anyone using Plex is to change there Plex password and even more important if thy reuse that password to change it everywhere it's used.

Anyone that cares about security would never dare use LastPass again.

So you will use another unproven password vault?

I'll go with the one that is open source and hasn't shown a propensity for being moronic.

Simply use a text file and save it encrypted. The if you like sync that file to the cloud. Then you rely on your self to be secure.

Bitwarden conducts security audits, but I haven't seen evidence of code audits.

Personally I use an OpenBSD host server running Vaultwarden (an open source Bitwarden compatible server coded in Rust).

It is up to you to assess your security needs, and then choose accordingly.

The hacker exploited a vulnerability in the Plex Media Server software that was patched in May 2020. 'The version that addressed this exploit was roughly 75 versions ago,' Plex says.

This is why Microsoft forces patches even though it can annoy people.

Exactly as I (and many others) suspected.

The problem with Plex updates is they need to be manually installed on some devices (i.e., Synology NAS). I really wish I could set it to autoupdate.

The problem is exposing the software to the internets.

Not every solution works for everyone. For many people, simply using an encrypted text file is not practical if you are going to have any attempt to use difficult passwords. I work in tech and have to remember hundreds of passwords and use different devices. Its simply not practical to manually look them up and hand type them in. I used Lastpass for years and 1Password for years before that when at the time they didn't work well on Windows. Most companies that have a hack, you conclude that afterwards they are probably the safest and secure out there because of the extra attention. Lastpass really blue this on every level with their practices and their handling. They have permanently lost my trust, but I'm not ready to throw out the entire industry. As a whole, I think they still are way more knowledgable than me on how to keep things secure.

Don't know why you would not cut and paste passwords in from an encrypted file. I also worked in IT and used the encrypted file method way before any password vault applications came out. Some companies get better after they are hacked. Others continue the same culture simply doing what ever is needed to shut the auditors up. Security is as much a culture as a set of policies and procedures.

Because it's a PITA on a phone.