Popular streaming platform Plex is sending emails to its customers to notify them about a recent security breach that compromised the company’s user accounts data. The stolen data includes email IDs, usernames, and passwords.
Plex’s Notification Details
The company’s message to its customers stated that all account passwords were hashed and secured using the industry’s recognized best practices, which means they were encrypted. Still, there is an indication that passwords were accessed. Hence, it advises users to change their passwords immediately.
Moreover, the email claimed that payment card data wasn’t stored in the compromised database. Therefore, it stayed unaffected. The company also advised users to sign out of all connected devices after changing their passwords and log back in to implement changes.
Were Passwords Compromised?
The company stressed that the passwords were cryptographically scrambled, so attackers would need to crack the hashes using additional tools to change them to plaintext format. Plex’s spokesperson said the passwords were hashed with bcrypt, which is among the strongest and securest password-protection algorithms and makes cracking harder.
On Wednesday, multiple Plex media streaming website users complained about finding it difficult to log in to their accounts. Security researcher Troy Hunt also complained and posted screenshots of the errors displayed when he tried to access his account.
Later, Plex confirmed being hacked and explained that the attackers managed to access its proprietary database and stole usernames, emails, and passwords of at least 15 to 30 million of its customers.
“Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation, and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.”
Plex noted that there’s no evidence that any other private information of its users was accessed or compromised as the intruders could not access private media libraries that could have included private nudes, pirated content, and other sensitive media files.
The company has identified the source and cause of this breach and pledged to mitigate the threat quickly and prevent others from leveraging the flaw. It urges users to enable 2FA and use difficult-to-guess passwords across all their apps, sites, and services.
Plex 2015 Hack
This is not the first time that Plex has suffered a security breach. In July 2015, as Hackread.com reported, a hacker stole the database belonging to Plex’s discussion forums. The database contained the personal details of 327,000 registered users.
The hacker went on to demand a ransom of 9.5 Bitcoin ($2,427 or €2,190 at that time). However, the database ended up online on cybercrime and hacker forums giving access to users’ email addresses, IP addresses, hashed passwords, and usernames.