Plex enforces password reset after hackers stole information for >15 million customers

Plex enforces password reset after hackers stole data for >15 million users”/><figcaption class=

Getty Images

Streaming media platform Plex said on Wednesday it had been hacked by intruders who managed to access a proprietary and obscure database with passwords, usernames and email data belonging to at least half of its 30 million subscribers.

“Yesterday, we discovered suspicious activity in one of our databases,” write company officials in emails sent to customers. “We immediately started an investigation and it appears that a third party was able to access some of the restricted data which includes an encrypted email, username and password.”

The email says that the password “hashed and secured according to best practices,” which means passwords are cryptographically scrambled in a way that requires attackers to devote additional resources to cracking the hash and returning it to a plain text state. A Plex spokesperson said that passwords are hashed using bcrypt, among the strongest algorithms for protecting passwords. bcrypt automatically applies what is known as cryptographic salting and peppering to make cracking more difficult.

The company still requires all customers to reset their passwords. The step by step instructions are here. For good measure, the company recommends logging out of all connected devices after a password change and then logging back in.

The email also said that no payment card details were stored in the database accessed and were therefore not affected by the breach.

Several people reported having trouble logging into their accounts on Wednesday morning. Security researcher Troy Hunt posted screenshot of the error he received while trying to log into his account.

Two Ars staff said they also had trouble accessing their accounts at first but eventually got around to it. A third person connected to Ars reported resetting his password and receiving an email from Plex soon after instructing him to once again reset his password. The email sent him in a loop when he couldn’t log in with the new password.

Plex is the premier provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or local media servers. A Plex spokesperson said the company had more than 30 million registered users and most of them were affected by the breach.

Wednesday’s notice said company officials had discovered the way the intruder used to gain access to the database and had fixed it. Engineers are continuing to carry out additional reviews to prevent similar violations from happening again.

Leave a Reply

Your email address will not be published. Required fields are marked *