We learned more details about the second LastPass hacking incident last week — a malicious party installed a keylogger onto a senior engineer's home computer through an exploit in Plex, the personal cloud service for movie storage and streaming, and was able to break into corporate-level caches as a result. But it turns out that the engineer had a big part to play in this major failure as well.
Plex has revealed that the exploit in question took advantage of a vulnerability that was disclosed back on May 7, 2020. The company tells PCMag that, for some reason, the LastPass employee never updated their client to apply the patch.
So one very valid concern about remote workers, working from home, is whether they are actively patching and updating their computer system. Usually in a corporate environment desktop and portable computers are being managed and updated by central IT, but this is often not the case for home users, especially if they are using their own personal computers from home.
What possibly makes patching and updating even worse, is using Windows OS as the individual apps are not updated as part of the OS's daily updates check. With Linux, usually the OS as well as all installed apps are checked daily and updated from the update manager, regardless of whether the installed app is being opened or not.
What we already know about most end users (just think of pasword1234) is that they tend not to be scrupulous and disciplined about applying the best security practices...
See LastPass breach could've been stopped with a 3-year-old Plex update
December's LastPass breach was brought to you by a Plex exploit that was patched back in 2020