Lastpass’ recent security breach could have been prevented according to a report but an outdated piece of software on an employee’s home computer is said to have caused the massive data breach.
The password vault company revealed that hackers pulled off the breach by installing malware on an employee’s home computer which allowed them to ultimately capture keystrokes on the machine.
The vendor or the flaw exploited wasn’t named by LastPass even though the company only stated that the hacker exploited a “vulnerable third-party media software package”.
That led many to wonder if the hacker had abused a currently unknown vulnerability, which could put many other users in harm’s way.
- Advertisement -
Further reports later pointed fingers at the Plex Media Server software which was used to load the malware on the LastPass employee’s home computer.
LastPass also made it known that the exploit wasn’t new and that the vulnerability was patched a long time ago.
The company also said the vulnerability is CVE-2020-5741, which the company publicly disclosed to users in May 2020. “An attacker who already had admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” the company said back then.
“At the time, as noted in that post, an updated version of the Plex Media Server was made available to all (7-MAY-2020),” a spokesperson for Plex said. “Unfortunately, the LastPass employee never upgraded their software to activate the patch. For reference, the version that addressed this exploit was roughly 75 versions ago.”
The company also confirmed earlier in the week that the threat actor exploited a vulnerability in an earlier, unpatched version of Plex Media Server o a LastPass DevOps engineer’s home computer.
Plex also said that it will provide notifications via the admin UI about updates that are available while also doing automatic updates in other cases.
“Without more information about all of the specifics, there is no way for us to speculate why this person did not update Plex over such a prolonged period of time,” the spokesperson added.
The reason for an un-updated computer of a DevOps engineer is unknown but the security breach is to show that anyone is susceptible to hacking no matter their level of expertise as well as the importance of keeping computer software up to date.
In order to exploit the CVE-2020-5741 flaw, the hacker took possession of the employee’s Plex Media Server account which showed the hacker may have had access to the employee’s computer but later came up with a better way of infecting the computer with malware.
Another big responsibility LastPass has to take is the fact that they allow their employees to access their sensitive data via a home computer.
According to LastPass, the hacker planted keylogging malware on the home computer, enabling them “to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
This allowed the hacker to seal a copy of the customer’s encrypted password vaults as well as other unencrypted data on users’ account information such as their email addresses and phone numbers.