Streaming media platform Plex on Wednesday said it was hacked by intruders who managed to access a proprietary database and make off with password data, usernames, and emails belonging to at least half of its 30 million customers.
“Yesterday, we discovered suspicious activity on one of our databases,” company officials wrote in an email sent to customers. “We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.”
The email said that the passwords were “hashed and secured in accordance with best practices,” meaning the passwords were cryptographically scrambled in a way that requires attackers to devote additional resources to crack the hashes and revert them back to their plaintext state. A Plex spokesperson said that the passwords were hashed using bcrypt, among the strongest algorithms for protecting passwords. bcrypt automatically applies what’s known as cryptographic salting and peppering to make cracking harder.
The company is nonetheless requiring all customers to reset their passwords. Step-by-step instructions are here. For good measure, the company advises signing out of all connected devices after the password change and then logging back in.
The email also said that no payment card details were stored in the database that was accessed and therefore aren’t affected by the breach.
Multiple people reported having trouble logging in to their accounts on Wednesday morning. Security researcher Troy Hunt posted a screenshot of errors he received when trying to log in to his account.
Two Ars staffers said they, too, initially had trouble accessing their accounts but eventually succeeded. A third person connected to Ars reported resetting his password and receiving an email from Plex immediately afterward instructing him to once again reset his password. The email sent him in a loop when he could not log in with the new password.
Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or on-premises media servers. The Plex spokesperson said the company has more than 30 million registered users and that the majority of them were affected by the breach.
Wednesday’s notification said that company officials have already uncovered the means the intruders used to gain access to the database and have fixed it. Engineers continue to do additional reviews to prevent similar breaches from occurring again.