Experts Fear Crooks Are Cracking Keys Stolen in LastPass Breach

Brian Krebs:

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.


Dan Goodin at Ars Technica reported and then confirmed that the [LastPass] attackers exploited a known vulnerability in a Plex media server that the employee was running on his home network, and succeeded in installing malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.

I completely missed this development, which was reported earlier this year, regarding the cause of the LastPass breach. It is an extraordinary heist: a security problem in Plex, of all things, has probably resulted in the theft of $35 million worth of cryptocurrency from a bunch of LastPass users.