New on LowEndTalk? Please Register and read our Community Rules.
LastPass Hack: Engineer's Failure to Update Plex Software Led to Massive Data Breach
The massive breach at LastPass was the result of one of its engineers failing to update Plex on their home computer, in what's a sobering reminder of the dangers of failing to keep software up-to-date.
The embattled password management service last week revealed how unidentified actors leveraged information stolen from an earlier incident that took place prior to August 12, 2022, along with details "available from a third-party data breach and a vulnerability in a third-party media software package to launch a coordinated second attack" between August and October 2022.
The intrusion ultimately enabled the ....https://thehackernews.com/2023/03/lastpass-hack-engineers-failure-to.html
Comments
Is this new hack or old one discussed in several recent threads?
Is the same hack, but with new info. that's why is news!
Stop using Lastpass! Choose something selfhosted!
A free solution is KeePass for Windows, or KeepassXC for Linux and Mac.
If you have money and want something selfhosted, try EnPass which can store the data encrypted on local machine, or in some cloud account of your choice (options include Google, Microsoft, Nextcloud and so on).
or original pwsafe.org by bruce schneier
Seen a lot of people defending plex and blaming lastpass incompetency, which is undeniable tbf, but I do hold plex partly responsible for producing software that people will expose from their LAN to the internet. It needs to be unbelievably bomb proof, with normie friendly switches for insane stuff like remote control and uploading
(Not a plex user, basing my opinion on the likes of jellyfin)
if one doesn't have server to be hosted can we say it's selfhosted?
Vouch for KeePassXC.
There are 2 options for secure password storage;
If you want cloud sync and shit like that, selfhost it or choose a trusted instance - you don't really have to trust the instance that much as its end to end encrypted, just make sure it has good uptime and good data retention.
Local storage, heavy duty encryption and possible cross device sync over local network.
You can’t hold Microsoft partly or remotely responsible for devices getting compromised when they are running windows 95. Though not bomb proof, Plex do their best to release patches and whatnot regularly. It is the responsibility of user to make sure their Plex server was up to date. He had a 75 versions old Plex server.
Agree but the equivalent is MS opening the RDP port to the world via upnp
Wut? Self-hosted means you have your own server to do the self-hosting.
Amazing that there have been so many we start to lose track.
A Vaultwarden instance at @m4nu 's PikaPods is a fine alternative if you (generic you, not you @default) don't want to setup a VPS.