Streaming media platform Plex said on Wednesday it had been hacked by intruders who managed to access its own database and steal passwords, usernames and emails from at least half of its 30 million customers.
“Yesterday we discovered suspicious activity in one of our databases”company officials wrote in an email sent to customers. “We immediately launched an investigation and it appears that a third party had access to a limited subset of data, including emails, usernames and encrypted passwords.”
The email stated that the passwords “hashed and secured in accordance with best practices”, meaning the passwords were cryptographically encrypted in a way that requires attackers to deploy additional resources to crack the hashes and restore them to their readable state. A Plex spokesperson said the passwords were hashed using bcrypt, one of the strongest password protection algorithms. bcrypt automatically applies what is known as cryptographic salting and peppering to make cracking more difficult.
The company nevertheless requires all customers to reset their passwords. Step-by-step instructions can be found here. For the record, the company recommends logging out of all connected devices after the password change and then logging back in.
The email also stated that no payment card details are stored in the database that has been accessed and are therefore unaffected by the breach.
Several people reported having problems logging into their accounts on Wednesday morning. Security researcher Troy Hunt Posted a screenshot of errors he received when he tried to log into his account.
Two Ars employees said they also had problems accessing their accounts at first, but they eventually succeeded. A third person connected to Ars reported that he reset his password and immediately afterwards received an email from Plex instructing him to reset his password. The email sent him in a loop when he couldn’t log in with the new password.
Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or on-premise media servers. The Plex spokesperson said the company has more than 30 million registered users and the majority of them have been affected by the breach.
Wednesday’s notice said company officials have already discovered and repaired the means the intruders used to access the database. Engineers will continue to conduct additional assessments to prevent similar breaches from happening again.