Attacker snags account details from streaming service Plex
'Limited subset' of users have emails, usernames, and hashed passwords stolen from the platform
Users of popular streaming and media organizing service Plex are waking up to an unpleasant email this morning saying, in the words of a Reg reader, "Plex have been hacked and their main site is down as we all rush to change passwords."
The email, forwarded by several readers, states that a third-party attacker was able to access a "limited subset" of user accounts that "were hashed and secured in accordance with best practices."
All Plex users are being required to reset their passwords, per the email, though it's also unclear how mandatory or automated the change will be. Several of our readers complained they couldn't immediately do this as the servers were buckling under the strain.
Brilliant. Thanks @plex #Plex pic.twitter.com/DCYBQTtKnZ— KellicTiger (@KellicTiger) August 24, 2022
Plex said payment data and credit card information isn't stored on its servers, and none was stolen in the breach.
The streaming company wasn't too forthcoming, saying only what was quoted above. Plex did say in its email that it had "already addressed the method that this third-party employed to gain access to the system," and assured users it's doing further work to harden systems against future attacks.
Not mentioned were specific mitigation measures, or details on how the attack was carried out. Plex also declined to put numbers to its "limited subset" of users and did not clarify whether the hashed logins were salted. We've asked and will update the story if we hear back.
- Lloyd's to exclude certain nation-state attacks from cyber insurance policies
- Twitter savaged by former security boss Mudge in whistleblower complaint
- Smartphone gyroscopes threaten air-gapped systems, researcher finds
- Microsoft finds critical hole in operating system that for once isn't Windows
Later in the missive, Plex said it was "kindly requesting" users reset their passwords – hardly mandatory language – and asks them to ensure they select the option to sign out of all connected services as well.
Plex began life as a streaming service mostly known for easy home media server setup, as well as offering integrations for several popular media apps.
Plex offered a cloud service that let users sync files from cloud services, but it discontinued the service in 2018, forcing cloud users to return to at-home media servers. The service also offers free and ad-supported movies as well as live streaming channels.
Plex's password reset instructions are a bit laborious, but it's a good idea not to sit on this one if you're a user, especially if your Plex account is tied to a home media server you'd like to keep secure. ®