BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

LastPass 2022 to 2023: How a Plex Vulnerability Took an Encrypted Vault

Threat Intelligence

LastPass disclosed two connected breaches over five months. The second, traced to a Plex Media Server vulnerability on a senior engineer's home machine, exfiltrated encrypted customer vaults. A walkthrough of the chain and the customer rotation imperative.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 27, 2024 · 9 min read

#lastpass#password-manager#breach

LastPass disclosed two breaches in 2022 that were initially treated as a development-environment incident contained without customer impact. By March 2023, the company confirmed what the security community had suspected since the December 2022 update: customer vault backups had been exfiltrated, and the chain that led there started with a Plex Media Server CVE on a senior DevOps engineer's home computer. The case is the cleanest 2022 to 2023 example of why developer endpoints deserve the same protection as production systems.

Timeline of the two-stage breach

August 8, 2022: LastPass discloses Incident 1. An unauthorized actor accessed the LastPass development environment via a compromised developer endpoint. Source code and proprietary technical information taken; no production data exfiltrated.
August to October 2022: The same actor uses information from Incident 1 (including encrypted backup keys and developer environment details) to plan a second intrusion. The attacker identifies four senior DevOps engineers with access to decryption keys for cloud storage backups.
August 12, 2022 (estimated): The attacker exploits CVE-2020-5741 in Plex Media Server on one engineer's home computer. Plex was running on a personal device that the engineer also used to access corporate cloud resources.
August to October 2022: The attacker installs a keylogger on the home machine. They capture the engineer's master password to a corporate LastPass vault, which contained the keys to decrypt LastPass's own cloud storage backups.
November 30, 2022: LastPass discloses Incident 2: customer encrypted vault backups, billing addresses, and partial customer metadata exfiltrated.
December 22, 2022 and March 1, 2023: Updates expand scope. By March, LastPass confirms vault backups containing both encrypted (master-password-protected) and unencrypted (URLs, names) fields were taken.

Root cause: a chain across environments LastPass did not control

The forensic chain reads like a worst-case slide in a security awareness deck. A senior engineer ran a media server on a home machine that had not been patched against a publicly known vulnerability disclosed two years prior. The same machine had access (or had access to credentials for access) to corporate cloud infrastructure. The attacker followed the chain from home network -> home machine -> keylogger -> corporate cloud -> decryption keys -> customer vault backups. No part of the chain required a novel exploit; it required only that the chain existed and that nobody mapped it.

What was in the stolen vault data

The exfiltrated backup files contained two classes of data per customer. Encrypted fields included usernames, passwords, secure notes, and form-fill data, all protected by the customer's master password through PBKDF2 with 100,100 iterations (the default for accounts created after 2018). Unencrypted fields included site URLs, last-accessed dates, and IP addresses. The encrypted vaults were vulnerable to offline brute-force attack against the master password, with attackers free to run as long as their compute budget allowed. Customers with weak master passwords (under ~12 characters of meaningful entropy) had to assume their vaults were eventually crackable; even strong-password customers had to weigh the unencrypted URL list as a phishing target list.

Detection and response signals customers should have run

Audit of every credential in the pre-October-2022 vault, with priority rotation for any with cloud admin, banking, email, or single-sign-on master access.
Phishing campaign monitoring against the URLs present in your vault, since the URL list itself was exfiltrated unencrypted.
MFA enforcement on every service where vault-stored passwords had been the primary auth (which, given that vault contents were intended for storage of every credential, was effectively everything).
Re-issuance of any cryptographic keys (SSH, signing keys, API tokens) that had been stored in 'secure notes' in the vault.

Lessons that reshaped developer endpoint policy

Three policy changes became near-universal in our client base after the LastPass post-mortems. First, no personal-machine access to production keys, with explicit prohibitions on syncing corporate credentials to home devices. Second, FIDO2 on the password manager itself for any user holding decryption keys to multi-tenant data, eliminating master-password-as-single-factor for those roles. Third, separation of backup decryption from operational access: the keys that decrypt customer vault backups should not be in the same key management context as the keys engineers use day to day. LastPass had collapsed those, and the keylogger picked up a single credential that opened everything.

When a CVE on a home media server reaches customer vault backups, the root cause is not the CVE. The root cause is an access topology that allowed a home machine to reach production decryption keys at all.

CVE-2020-5741

Plex Media Server entry point

4 engineers

With backup decryption privileges

30M+

LastPass customers affected

100,100

PBKDF2 iterations on encrypted fields

LastPass also drove a broader conversation in 2023 about whether the password-vault model itself was reaching the end of its useful life for high-value accounts. Passkey adoption (FIDO2-based credentials that cannot be exfiltrated as a database) accelerated through 2023 and 2024, and the LastPass case is the most-cited reason in our customer conversations for why. The vault model works fine until the vault itself is the supply chain link.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.