On a random day in August 2022 a LastPass developer logged into his work computer. He was at home. His computer was a personal one that he also did work on, because his employer thought that was convenient. On that computer ran Plex Media Server. Plex Media Server had a vulnerability that had been known for three months and for which a patch had existed for three months. Plex Media Server was not patched.
The rest of the story writes itself and is at the same time much more painful than you would think.