Streaming service Plex unaware ‘of any unpatched vulnerabilities’ following LastPass report
The streaming service Plex defended the security of its software on Wednesday following a claim that it was exploited in an attack on password manager LastPass.
Plex’s comments came after LastPass revealed Tuesday that an intruder had leveraged a “vulnerable third-party media software package” to gain access to an engineer’s home computer in August 2022.
After compromising the engineer’s home computer, the attacker was able to access corporate backups of customers’ sensitive information stored in an encrypted format, LastPass said.
Ars Technica reported that the third-party media software package was Plex, citing a person briefed by LastPass. The report noted that the video streaming company disclosed that it had been hacked during August 2022.
In a statement sent to The Record, a spokesperson for Plex said: “We are not aware of any unpatched vulnerabilities, and as always, we invite people to disclose issues to us … using our guidelines and bug bounty program.”
LastPass said it had uncovered the threat actor’s activities after a forensic analysis of the company’s corporate resources and the engineer’s personal devices. Cybersecurity company Mandiant assisted with incident response and forensics, LastPass said.
Plex said it had not been contacted by LastPass and so “cannot speak to the specifics of their incident,” but it said company officials “take security issues very seriously, and frequently work with external parties.”
“When vulnerabilities are reported following responsible disclosure, we address them swiftly and thoroughly, and we’ve never had a critical vulnerability published for which there wasn’t already a patched version released,” added the statement.
Plex said that when it has had incidents of its own, it has “always chosen to communicate them quickly … Given recent articles about the LastPass incident, although we are not aware of any unpatched vulnerabilities, we have reached out to LastPass to be sure.”
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.