LastPass has announced that the recent breach happened due to an employee not updating their software.
The employee was a DevOps engineer and was targeted by hackers.
LastPass is one of the world's most popular password manager applications.
- The platform has over 33 million users, including over 100,000 enterprise accounts.
- The hacked engineer was part of a four-person team with the decryption keys that give access to Last Pass's cloud storage service.
- Hackers breached the employee's home computer by a security flaw tracked as CVE-2020-5741. The flaw specifically affects Plex Media Server.
- The flaw, which has a CVSS score of 7, enables the threat actor to breach the victim remotely.
- In order to avoid a similar breach in the future, Plex has made several changes, such as:
- Removing the ability to change the location of the server's data directory via the API, and
- Adding additional checks in the Camera Upload feature.
- Users are directed to update their Plex Media Server to version 1.19.3.
