Plex Forces Password Reset After Hackers Steal Data For 15 Million Users

Media streaming platform Plex on Wednesday said it was breached by hackers who managed to access a proprietary database and delete password, username and email data belonging to at least half of its 30 million customers. “Yesterday, we discovered suspicious activity in one of our databases,” company officials wrote in an email sent to customers. “We immediately launched an investigation and it appears that a third party was able to access a limited subset of data that includes emails, usernames and encrypted passwords.” The email said the passwords were “hashed and secured according to best practices,” meaning the passwords were cryptographically encoded in a way that requires attackers to devote additional resources to cracking the hashes and returning them to plaintext. their text. A Plex spokesperson said passwords were hashed using bcrypt, among the strongest algorithms for password protection. bcrypt automatically applies what is known as cryptographic salt and pepper to make cracking more difficult. However, the company requires all customers to reset their passwords. Step by step instructions are here. For good measure, the company advises to log out of all connected devices after changing the password and then log back in. Advertising
The email also stated that no payment card details were stored in the accessed database and are therefore not affected by the breach. Many people reported having trouble logging into their accounts on Wednesday morning. Security researcher Troy Hunt posted a screenshot of the errors he received when trying to log into his account. Two Ars staffers said they too initially had trouble accessing their accounts but eventually succeeded. A third person connected to Ars reported that he reset his password and received an email from Plex shortly after instructing him to reset his password. His email looped when he couldn’t log in with the new password. Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or indoor media servers. A Plex spokesperson said the company has more than 30 million registered users and that the majority of them were affected by the breach. Wednesday’s notification said company officials have already uncovered the means the attackers used to gain access to the database and have fixed them. Engineers continue to perform additional checks to prevent similar breaches from occurring again.