{"id":211,"date":"2023-02-28T06:50:41","date_gmt":"2023-02-28T12:50:41","guid":{"rendered":"https:\/\/kentprotect.com\/?p=211"},"modified":"2023-04-04T04:30:24","modified_gmt":"2023-04-04T09:30:24","slug":"lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software","status":"publish","type":"post","link":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/","title":{"rendered":"LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software (Plex)"},"content":{"rendered":"<div class='booster-block booster-read-block'><\/div>\n<p class=\"wp-block-paragraph\">(Image source: LastPass, n.d.-c)<\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>One-sentence summary: <\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">LastPass discloses 2022 breach updates, clarifying two separate hacks and a third-party software exploit on a DevOps engineer&#8217;s computer. <\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>Who was involved?<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">LastPass, LastPass software engineer, a senior DevOps Engineer, and the adversary. <\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>What was the timeline?<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">August 8, 2022: Threat actor made initial access into LastPass (Toubba, 2023, para. 3). <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">August 12, 2022: Threat actor is detected on the network by LastPass, and Incident 1 ceases (LastPass, n.d.-a, para. 1). Incident 2 begins (LastPass, n.d.-b, para. 3). <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">August 13, 2022: Mandiant is engaged (LastPass, n.d.-a, para. 3). <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">October 26, 2022: Threat actor is contained by LastPass. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">December 22, 2022: Initial press release by LastPass over the breach. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">February 24, 2022: Latest update is posted on LastPass&#8217;s website (Toubba, 2023). <\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>What occurred?<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In August 2022, an unknown threat actor successfully breached a software engineer&#8217;s work computer (potentially through their home network), allowing initial access in Incident 1 (LastPass, n.d.-a, paras. 1-4, 11). The threat actor bypassed EDR and impersonated the software engineer&#8217;s valid access to exfiltrate 14 out of 200 source code repos at LastPass and obtain development &#8220;cleartext embedded credentials&#8221; and &#8220;stored digital certificates&#8221; (LastPass, n.d.-a, paras. 5-7). While Mandiant and LastPass may have thought the actor was gone after initial containment, they were just getting started. They apparently returned the same day with a vengeance and utilized an RCE vulnerability in third-party software to hack a senior DevOps engineer (LastPass, n.d.-b, paras. 1-5, 11; Toubba, 2023, p. 2). Update 4\/4\/2023: the third-party software was reported to be Plex and was exploited via CVE-<strong><span style=\"text-decoration: underline;\">2020<\/span><\/strong>-5741 (Lakshmanan, 2023). (They spent over two months in a backup environment and collected partial crown jewels (without customer master passwords): &#8220;contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data&#8221; (Toubba, 2023, p. 3). This was one of the three major categories of the second breach: &#8220;cloud-based backup storage&#8221; (Toubba, 2023, p. 3). The other breached categories included &#8220;DevOps secrets&#8221; and &#8220;Backup of LastPass MFA\/Federation Database,&#8221; including &#8220;LastPass Authenticator seeds&#8221; and certain decryption keys (p. 3). October 26, 2022, was the adversary&#8217;s last known date of activity within LastPass (Toubba, 2023, p. 1). The implications of the breaches are too multivariable for a summary (please see for implications and remedial advice: https:\/\/support.lastpass.com\/help\/what-data-was-accessed; https:\/\/blog.lastpass.com\/2022\/12\/notice-of-recent-security-incident\/). <\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>Estimated costs:<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Incident response costs, including Mandiant (Toubba, 2023, p. 2). <\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>Involved laws: <\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TBA or N\/A (see disclaimer) <\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>Root cause: <\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Potentially engineer&#8217;s &#8220;home network&#8221; and definite third-party software RCE vulnerability (LastPass, n.d.-a, para. 11; LastPass, n.d.-b, para. 1). <\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>Lessons learned: <\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Assess and harden home networks. Substantially limit third-party software on corporate devices to reduce the attack surface via application whitelisting. Limit Oauth and consent to third party applications with corporate identities and resources. There are many other lessons learned enumerated within the cited sources and are worth investigating. However, I am focusing on lessons learned that address the root causes. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>Commentary<\/strong>: <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">BleepingComputer reported that &#8220;noindex&#8221; tags were on the LastPass documents, however, I found the &#8220;Security Incident Update and Recommended Actions&#8221; and additional detail posts available on Google or without noindex tags (Abrams, 2023). Only the &#8220;What data was accessed?&#8221; page appeared to have the noindex tag (LastPass, n.d.-d). Metadata was extracted to get the date on the &#8220;Security Incident Update and Recommended Actions&#8221; PDF (Toubba, 2023). LastPass&#8217;s remedial efforts on both support pages are comprehensive and role models to other organizations suffering data breaches. Kudos to LastPass and Mandiant! However, LastPass has had two prior breaches: one in 2015 and one in 2011: https:\/\/www.wired.com\/2015\/06\/hack-brief-password-manager-lastpass-got-breached-hard\/. Those will be covered in future posts and any alignment with the latest breach will be elucidated. <\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>Sources: <\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Abrams, L. (2023, February 28). <em>LastPass: DevOps engineer hacked to steal password vault data in 2022 breach<\/em>. BleepingComputer. https:\/\/www.bleepingcomputer.com\/news\/security\/lastpass-devops-engineer-hacked-to-steal-password-vault-data-in-2022-breach\/<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Lakshmanan, R. (2023, March 7). <em>LastPass Hack: Engineer\u2019s Failure to Update Plex Software Led to Massive Data Breach<\/em>. The Hacker News. Retrieved April 4, 2023, from https:\/\/thehackernews.com\/2023\/03\/lastpass-hack-engineers-failure-to.html<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">LastPass. (n.d.-a). <em>Incident 1 \u2013 Additional details of the attack &#8211; LastPass Support<\/em>. LastPass Support. Retrieved February 28, 2023, from https:\/\/support.lastpass.com\/help\/incident-1-additional-details-of-the-attack<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">LastPass. (n.d.-b). <em>Incident 2 \u2013 Additional details of the attack &#8211; LastPass Support<\/em>. LastPass Support. Retrieved February 28, 2023, from https:\/\/support.lastpass.com\/help\/incident-2-additional-details-of-the-attack<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">LastPass. (n.d.-c). <em>LastPassLogoShadow.png<\/em>. https:\/\/lastpass.com\/media\/pressroom\/LastPassLogoShadow.png<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">LastPass. (n.d.-d). <em>What data was accessed? &#8211; LastPass Support<\/em>. LastPass Support. Retrieved February 28, 2023, from https:\/\/support.lastpass.com\/help\/what-data-was-accessed<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Toubba, K. (2023, February 24). <em>Security Incident Update and Recommended Actions<\/em>. lastpass.com. Retrieved February 28, 2023, from https:\/\/support.lastpass.com\/download\/lastpass-blog-security<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/e2fv8OgXRtw?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\">YouTube\/Blog Notification Post<\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>(Image source: LastPass, n.d.-c) One-sentence summary: LastPass discloses 2022 breach updates, clarifying two separate hacks and a third-party<\/p>\n","protected":false},"author":4,"featured_media":212,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[197,196,198,68,3,12,13,76,63,75,61,11,10,74,195,14,184,69,71,72,70,8,27,183,182,188,73,190,189,186,167,67,191,192,62,15,193,194,187,185],"class_list":["post-211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-breach-report","tag-amazonwebservices","tag-aws","tag-backups","tag-been-pwned","tag-breach-report","tag-breaches","tag-ciso","tag-cloud","tag-computer-security","tag-cyber-security","tag-cybercrime","tag-cybersecurity","tag-dallas","tag-data-breach","tag-devops","tag-executive","tag-fairfax","tag-have-been-pwned","tag-have-i-pwned","tag-i-been-pwned","tag-i-have-been-pwned","tag-kent-protect","tag-kentprotect","tag-lastpass","tag-leak","tag-master","tag-password","tag-password-manager","tag-passwordmanager","tag-passwordvault","tag-press","tag-pwned","tag-rce","tag-remotecodeexecution","tag-security","tag-summary","tag-third-party-software","tag-thirdpartysoftware","tag-vault","tag-virginia"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software (Plex) - Kent Protect<\/title>\n<meta name=\"description\" content=\"LastPass discloses 2022 breach updates, clarifying two separate hacks and a third-party software exploit on a DevOps engineer&#039;s computer.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software (Plex) - Kent Protect\" \/>\n<meta property=\"og:description\" content=\"LastPass discloses 2022 breach updates, clarifying two separate hacks and a third-party software exploit on a DevOps engineer&#039;s computer.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/\" \/>\n<meta property=\"og:site_name\" content=\"Kent Protect\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-28T12:50:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-04-04T09:30:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/kentprotect.com\/wp-content\/uploads\/2023\/02\/LastPassLogoShadow.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2000\" \/>\n\t<meta property=\"og:image:height\" content=\"500\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kyler Kent CISSP\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kyler Kent CISSP\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/\"},\"author\":{\"name\":\"Kyler Kent CISSP\",\"@id\":\"https:\\\/\\\/kentprotect.com\\\/#\\\/schema\\\/person\\\/f9b4d76bd2f5b5559a08ad2e004a1116\"},\"headline\":\"LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software (Plex)\",\"datePublished\":\"2023-02-28T12:50:41+00:00\",\"dateModified\":\"2023-04-04T09:30:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/\"},\"wordCount\":779,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/kentprotect.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/kentprotect.com\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/LastPassLogoShadow.png\",\"keywords\":[\"amazonwebservices\",\"AWS\",\"backups\",\"been pwned\",\"breach report\",\"breaches\",\"ciso\",\"cloud\",\"computer security\",\"cyber security\",\"cybercrime\",\"cybersecurity\",\"dallas\",\"data breach\",\"devops\",\"executive\",\"fairfax\",\"have been pwned\",\"have I pwned\",\"I been pwned\",\"I have been pwned\",\"kent protect\",\"kentprotect\",\"lastpass\",\"leak\",\"master\",\"password\",\"password manager\",\"passwordmanager\",\"passwordvault\",\"press\",\"pwned\",\"rce\",\"remotecodeexecution\",\"security\",\"summary\",\"third-party software\",\"thirdpartysoftware\",\"vault\",\"virginia\"],\"articleSection\":[\"The Breach Report!\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/\",\"url\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/\",\"name\":\"LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software (Plex) - Kent Protect\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/kentprotect.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/kentprotect.com\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/LastPassLogoShadow.png\",\"datePublished\":\"2023-02-28T12:50:41+00:00\",\"dateModified\":\"2023-04-04T09:30:24+00:00\",\"description\":\"LastPass discloses 2022 breach updates, clarifying two separate hacks and a third-party software exploit on a DevOps engineer's computer.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/#primaryimage\",\"url\":\"https:\\\/\\\/kentprotect.com\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/LastPassLogoShadow.png\",\"contentUrl\":\"https:\\\/\\\/kentprotect.com\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/LastPassLogoShadow.png\",\"width\":2000,\"height\":500,\"caption\":\"Last Pass Logo Shadow\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/2023\\\/02\\\/28\\\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/kentprotect.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software (Plex)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/kentprotect.com\\\/#website\",\"url\":\"https:\\\/\\\/kentprotect.com\\\/\",\"name\":\"Kent Protect\",\"description\":\"Starring the Breach Report! and other security and cybersecurity series\",\"publisher\":{\"@id\":\"https:\\\/\\\/kentprotect.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/kentprotect.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/kentprotect.com\\\/#organization\",\"name\":\"Kent Protect\",\"url\":\"https:\\\/\\\/kentprotect.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/kentprotect.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/kentprotect.com\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/cropped-FullLogo_Transparent-1-with-KP-Smaller.png\",\"contentUrl\":\"https:\\\/\\\/kentprotect.com\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/cropped-FullLogo_Transparent-1-with-KP-Smaller.png\",\"width\":209,\"height\":161,\"caption\":\"Kent Protect\"},\"image\":{\"@id\":\"https:\\\/\\\/kentprotect.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/kentprotect.com\\\/#\\\/schema\\\/person\\\/f9b4d76bd2f5b5559a08ad2e004a1116\",\"name\":\"Kyler Kent CISSP\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/kentprotect.com\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/Retry-3-150x150.jpg\",\"url\":\"https:\\\/\\\/kentprotect.com\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/Retry-3-150x150.jpg\",\"contentUrl\":\"https:\\\/\\\/kentprotect.com\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/Retry-3-150x150.jpg\",\"caption\":\"Kyler Kent CISSP\"},\"description\":\"Kyler Kent is a Senior Cybersecurity Analyst on CrowdStrike\u2019s Falcon Complete MDR team, where he helps large enterprises detect, investigate, and contain real intrusions across cloud and hybrid environments. His work spans threat hunting, incident response, and security automation\u2014turning noisy telemetry into clear, repeatable actions that reduce risk quickly. Previously, Kyler served as a Threat Hunting and Intelligence Specialist supporting a critical infrastructure provider in Dallas, and led security automation and operational coordination at CyberConvoy. He holds a Master\u2019s in Cybersecurity Risk Management from Georgetown University and maintains certifications including CISSP, AWS Solutions Architect \u2013 Professional, AWS Security \u2013 Specialty, and multiple CrowdStrike credentials. He writes to close the gap between \u201cwhat the textbook says\u201d and what analysts actually do on shift with his published book: \\\"SOC Analyst Career Guide\\\" (ISBN-13: 9781835467466). https:\\\/\\\/linktr.ee\\\/kentprotect.com Corrections: corrections@kentprotect.com\",\"sameAs\":[\"http:\\\/\\\/kylerkent.com\"],\"url\":\"https:\\\/\\\/kentprotect.com\\\/index.php\\\/author\\\/kylerkent\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software (Plex) - Kent Protect","description":"LastPass discloses 2022 breach updates, clarifying two separate hacks and a third-party software exploit on a DevOps engineer's computer.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/","og_locale":"en_US","og_type":"article","og_title":"LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software (Plex) - Kent Protect","og_description":"LastPass discloses 2022 breach updates, clarifying two separate hacks and a third-party software exploit on a DevOps engineer's computer.","og_url":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/","og_site_name":"Kent Protect","article_published_time":"2023-02-28T12:50:41+00:00","article_modified_time":"2023-04-04T09:30:24+00:00","og_image":[{"width":2000,"height":500,"url":"https:\/\/kentprotect.com\/wp-content\/uploads\/2023\/02\/LastPassLogoShadow.png","type":"image\/png"}],"author":"Kyler Kent CISSP","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kyler Kent CISSP","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/#article","isPartOf":{"@id":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/"},"author":{"name":"Kyler Kent CISSP","@id":"https:\/\/kentprotect.com\/#\/schema\/person\/f9b4d76bd2f5b5559a08ad2e004a1116"},"headline":"LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software (Plex)","datePublished":"2023-02-28T12:50:41+00:00","dateModified":"2023-04-04T09:30:24+00:00","mainEntityOfPage":{"@id":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/"},"wordCount":779,"commentCount":0,"publisher":{"@id":"https:\/\/kentprotect.com\/#organization"},"image":{"@id":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/#primaryimage"},"thumbnailUrl":"https:\/\/kentprotect.com\/wp-content\/uploads\/2023\/02\/LastPassLogoShadow.png","keywords":["amazonwebservices","AWS","backups","been pwned","breach report","breaches","ciso","cloud","computer security","cyber security","cybercrime","cybersecurity","dallas","data breach","devops","executive","fairfax","have been pwned","have I pwned","I been pwned","I have been pwned","kent protect","kentprotect","lastpass","leak","master","password","password manager","passwordmanager","passwordvault","press","pwned","rce","remotecodeexecution","security","summary","third-party software","thirdpartysoftware","vault","virginia"],"articleSection":["The Breach Report!"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/","url":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/","name":"LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software (Plex) - Kent Protect","isPartOf":{"@id":"https:\/\/kentprotect.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/#primaryimage"},"image":{"@id":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/#primaryimage"},"thumbnailUrl":"https:\/\/kentprotect.com\/wp-content\/uploads\/2023\/02\/LastPassLogoShadow.png","datePublished":"2023-02-28T12:50:41+00:00","dateModified":"2023-04-04T09:30:24+00:00","description":"LastPass discloses 2022 breach updates, clarifying two separate hacks and a third-party software exploit on a DevOps engineer's computer.","breadcrumb":{"@id":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/#primaryimage","url":"https:\/\/kentprotect.com\/wp-content\/uploads\/2023\/02\/LastPassLogoShadow.png","contentUrl":"https:\/\/kentprotect.com\/wp-content\/uploads\/2023\/02\/LastPassLogoShadow.png","width":2000,"height":500,"caption":"Last Pass Logo Shadow"},{"@type":"BreadcrumbList","@id":"https:\/\/kentprotect.com\/index.php\/2023\/02\/28\/lastpass-2022-breach-update-two-hacks-and-senior-devops-engineer-exploited-via-third-party-software\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/kentprotect.com\/"},{"@type":"ListItem","position":2,"name":"LastPass 2022 breach update: two hacks and senior DevOps engineer exploited via third-party software (Plex)"}]},{"@type":"WebSite","@id":"https:\/\/kentprotect.com\/#website","url":"https:\/\/kentprotect.com\/","name":"Kent Protect","description":"Starring the Breach Report! and other security and cybersecurity series","publisher":{"@id":"https:\/\/kentprotect.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kentprotect.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kentprotect.com\/#organization","name":"Kent Protect","url":"https:\/\/kentprotect.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kentprotect.com\/#\/schema\/logo\/image\/","url":"https:\/\/kentprotect.com\/wp-content\/uploads\/2023\/04\/cropped-FullLogo_Transparent-1-with-KP-Smaller.png","contentUrl":"https:\/\/kentprotect.com\/wp-content\/uploads\/2023\/04\/cropped-FullLogo_Transparent-1-with-KP-Smaller.png","width":209,"height":161,"caption":"Kent Protect"},"image":{"@id":"https:\/\/kentprotect.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/kentprotect.com\/#\/schema\/person\/f9b4d76bd2f5b5559a08ad2e004a1116","name":"Kyler Kent CISSP","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kentprotect.com\/wp-content\/uploads\/2023\/03\/Retry-3-150x150.jpg","url":"https:\/\/kentprotect.com\/wp-content\/uploads\/2023\/03\/Retry-3-150x150.jpg","contentUrl":"https:\/\/kentprotect.com\/wp-content\/uploads\/2023\/03\/Retry-3-150x150.jpg","caption":"Kyler Kent CISSP"},"description":"Kyler Kent is a Senior Cybersecurity Analyst on CrowdStrike\u2019s Falcon Complete MDR team, where he helps large enterprises detect, investigate, and contain real intrusions across cloud and hybrid environments. His work spans threat hunting, incident response, and security automation\u2014turning noisy telemetry into clear, repeatable actions that reduce risk quickly. Previously, Kyler served as a Threat Hunting and Intelligence Specialist supporting a critical infrastructure provider in Dallas, and led security automation and operational coordination at CyberConvoy. He holds a Master\u2019s in Cybersecurity Risk Management from Georgetown University and maintains certifications including CISSP, AWS Solutions Architect \u2013 Professional, AWS Security \u2013 Specialty, and multiple CrowdStrike credentials. He writes to close the gap between \u201cwhat the textbook says\u201d and what analysts actually do on shift with his published book: \"SOC Analyst Career Guide\" (ISBN-13: 9781835467466). https:\/\/linktr.ee\/kentprotect.com Corrections: corrections@kentprotect.com","sameAs":["http:\/\/kylerkent.com"],"url":"https:\/\/kentprotect.com\/index.php\/author\/kylerkent\/"}]}},"_links":{"self":[{"href":"https:\/\/kentprotect.com\/index.php\/wp-json\/wp\/v2\/posts\/211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kentprotect.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kentprotect.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kentprotect.com\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kentprotect.com\/index.php\/wp-json\/wp\/v2\/comments?post=211"}],"version-history":[{"count":3,"href":"https:\/\/kentprotect.com\/index.php\/wp-json\/wp\/v2\/posts\/211\/revisions"}],"predecessor-version":[{"id":456,"href":"https:\/\/kentprotect.com\/index.php\/wp-json\/wp\/v2\/posts\/211\/revisions\/456"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kentprotect.com\/index.php\/wp-json\/wp\/v2\/media\/212"}],"wp:attachment":[{"href":"https:\/\/kentprotect.com\/index.php\/wp-json\/wp\/v2\/media?parent=211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kentprotect.com\/index.php\/wp-json\/wp\/v2\/categories?post=211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kentprotect.com\/index.php\/wp-json\/wp\/v2\/tags?post=211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}