Hackers - or just a hacker - have pillaged the forum and blog server of TV software biz Plex, gaining access to IP addresses, private messages, emails and encrypted forum passwords.
In response, Plex is requiring customers to change their passwords.
In a security update sent to customers yesterday, Plex said:
Sadly, we became aware this afternoon that the server which hosts our forums and blog was compromised.
We are still investigating, but as far as we know, the attacker only gained access to these parts of our systems. Rest assured that credit card and other payment data are not stored on our servers at all.
The attacker was able to loot IP addresses, private messages, email addressees and encrypted forum passwords (in technical terms, they are hashed and salted).
It added: “We’re sorry for the inconvenience, but both your privacy and security are very important to us and we’d rather be safe than sorry."
The company has taken its forum offline and tweeted that it will update users as soon as it has more news.
In a Reddit post, the company attributed the issue to a PHP/IPB vulnerability: "We have no reason to believe that any other parts of our infrastructure was compromised, but we're investigating."
A statement re-posted on Reddit, and purporting to be from the hacker, claimed he was giving Plex until tomorrow to pay him £1,500 worth of Bitcoin, or he would release the data. ®