LastPass has taken a reputational tumble from one of the great password managers out there to becoming mired in infamy after not one, but two massive data breaches last year. We learned more details about the second incident last week — a malicious party installed a keylogger onto a senior engineer's home computer through an exploit in Plex, the personal cloud service for movie storage and streaming, and was able to break into corporate-level caches as a result. But it turns out that the engineer had a big part to play in this major failure as well.

Plex has revealed that the exploit in question took advantage of a vulnerability that was disclosed back on May 7, 2020. The company tells PCMag that, for some reason, the LastPass employee never updated their client to apply the patch.

The loophole allowed those with access to a server administrator's Plex account to upload a malicious file through the Camera Upload feature and, by overlapping the locations of the server data directory with a library that allowed Camera Uploads, have the media server execute it.

The company released Plex Media Server v1.19.3 that very same day to patch the gap.

"For reference, the version that addressed this exploit was roughly 75 versions ago," a LastPass spokesperson said.

LastPass declined to comment on the new information.

What's glaring to us is that the chain of events that led to this breach started right from the top: LastPass allowed this senior employee to access privileged work surfaces through their personal computer, opening up the possibility for someone to gain access to this employee's Plex account, to execute a long-patched exploit that worked due to the aforementioned's negligence, and to gain unfettered access to those work surfaces from there.

Each stage of this sequence was set up by a decision that may have been justified for one reason or another at the time. But with the way things have developed, LastPass will need a bigger shovel if it wants to dig itself out of this hole.