Data leak
LastPass Blog / Wikipedia / Cybersecurity Dive
Primary Source βIncident Details
Two-stage breach in 2022. Aug 8-11: attacker compromised software developer’s laptop, stole 14 source code repositories. Aug 12: senior DevOps engineer’s personal computer compromised via unpatched Plex CVE-2020-5741; keylogger captured master password. Aug-Sept: attacker exfiltrated customer vault backup and user database from third-party cloud storage. Stolen data includes encrypted password vaults and unencrypted metadata (URLs, email, billing addresses). Feds linked ~$150M crypto theft to LastPass vault cracking in 2025.
Technical Details
- Initial Attack Vector
- CWE-1232: Improper Lock of Memory That Contains Resource (developer laptop compromise via malware; second stage via vulnerable Plex Media Server CVE-2020-5741)
- Vendor / Product
- LastPass Password Manager
- Software Package
Plex Media Server- CVE / GHSA References
- CVE-2020-5741
Timeline
- 2022-08-08 Breach occurred
- 2022-11-30 Publicly disclosed
- 2022-12-22 Customers notified