Is Plex, the company, attempting to contact law enforcement (probably FBI) about the matter? I mean, Lastpass isn’t just handling this whole thing themselves at this point. Law enforcement must be involved in the investigation too.
LastPass has formally acknowledge it was “vulnerable third-party media software package” (bolding is mine):
Incident 2 – Additional details of the attack - LastPass Support
It doesn’t state Plex, but it’s narrowing down torward Plex.
Agreed. It doesn’t. As I said earlier, I’m reluctant to put much value on what LP says TBH given their history.
At this stage all we have that mentions Plex specifically is an anonymous source who saw the LP report.
I’ll wait until Plex confirms any NEW issues.
In your link it says …
exploiting a vulnerable third-party media software package
So, if it was indeed Plex (which is as you say, is likely), was it the implementation of that software on the users computer or the software itself.
Given the users obvious poor understanding of security as evidenced by the report, totally separate from how he has Plex setup, I would say this reflects more on the users issue, not Plex.
Not sure I agree with this, but it would be nice to be the case.
My hope is that if Plex was vulnerable last Fall, it isn’t now.
1 Like
This is my hope/expectation. I may be wrong but the employee was identified as having other security issues - some rather alarming ones.
Agreed. Reading into a few comments made so far, it seems that way.
It is rather sad that I learn more about this issue on Reddit than on the Plex forum. More on the topic here More threads
Again, is the vulnerability mentioned an old one that has been resolved or a new one.
It can’t be that difficult to say yes or no.
Frankly, this sounds like a new event given an RCE vulnerability in Plex that allowed an attack to compromise the users home computer.
I see nothing new in that thread. I’m open to being shown that I am wrong.
Plex doesn’t know how, or even if, their server software was compromised.
However, I will restate that Plex shouldn’t be waiting for LastPass to tell them what happened. I would hope Plex is actively asking LastPass and/or other involved parties involved in the investigation, which LastPass has stated is “complete.”
If LastPass refuses to share details about vulnerabilities in any media software to that company is complete inexcusable and would show LastPass to be completely untrustworthy. I mean, LastPass would have knowledge of how user’s PC could be compromised and are refusing to allow other companies to patch those holes, which in turn compromised LastPass users.
I will add, if it is true there is a vulnerability with some media software, that isn’t just a LastPass issue. That is an issue for all software on a user’s PC. Including all password managers.
I have no idea what your level of knowledge is on the topic and I am not really interested in ‘showing that you are wrong’.
That Reddit thread most certainly added to my knowledge about the situation versus the threads on Plex did. Clearly I have no clue on the topic so any information is useful, personally.
Soo are we ok to enable remote access again or should we keep it off for a while and see if they find anything?
How is PLEX supposed to find out what happened to LastPass if they won’t tell them?
Plex sounds like they are waiting to be informed. I’m hoping they pro-actively reach out.
EDIT:
It appears Plex has:
“we have reached out to LastPass to be sure”
LastPass says employee’s home computer was hacked and corporate vault taken | Ars Technica
Unclear at this time.
EDIT: No other Plex user has reported being hacked via Plex that I’m aware of since October.
The ArsTechinca article I think is most recent on the details:
LastPass says employee’s home computer was hacked and corporate vault taken | Ars Technica
I’m aware of articles but at the moment I’m more interested in comments from people I know personally on Reddit (and indeed the ArsTechnica forum).
Have they added any confirmed details to those articles?
Plex is open more than just remote access.
However, this all smacks more of an issue caused by poor security and behaviour by an employee/contractor for LP than Plex itself. I may be wrong ofcourse.
LastPass has released a Security Bulletin:
Security Incident Update and Recommended Actions - The LastPass Blog
Doesn’t appear to mention Plex but still mentions “media software.”
Confirmed it was 100% Plex.
The DevOPs engineer was running an outdated version by 3 YEARS
update yo stuff folks. This is such a no0b mistake by the LP DevOps bro. Dude should be arrested for allowing all (30M+ records) of LP customer data to be stolen imo.
3 Likes
Would appear to confirm my latest post in this thread.
However, didn’t Plex enforce password reset etc ?
This is more than just an old version of Plex. It is the fact Plex was installed on a work device, a device that used remote access as well. A device that appears to have an old version of Plex and ipso facto, very likely other software and security that was out of date.
What is lacking in this thread is commentary by Plex itself, even if to say “we know nothing”.
There has been some initial commentary but otherwise an echo chamber.
