Plex confirms database breach and data theft

Popular streaming media platform Plex is struggling to reset users’ passwords after a database hack that included the theft of encrypted emails, usernames and passwords.

Plex, a California-based company that operates a media streaming service and client-server media player platform, confirmed that a third party “was able to access a limited subset of data” from a database. compromised data.

The company is urging all Plex users to immediately reset account passwords and log out of all devices connected to its service.

From the Plex notification:

Yesterday we discovered suspicious activity on one of our databases. We immediately launched an investigation and it appears that a third party was able to access a limited subset of data including encrypted emails, usernames and passwords. While all account passwords that could have been accessed have been hashed and secured in accordance with best practices, as a precaution, we require all Plex accounts to have their passwords reset.

The company said credit card and other payment data is not stored on its servers and was not vulnerable or compromised in this incident.

[ READ: Apple Patches New macOS, iOS Zero-Days ]

Plex did not provide details about the database hack or whether any software vulnerabilities were exploited.

“We have already addressed the method used by this third party to gain access to the system, and we are conducting additional reviews to ensure that the security of all of our systems is further tightened to prevent future incursions,” the company said. .

“While account passwords have been secured using best practices, we require all Plex users to reset their passwords.”

In addition to immediate password resets, Plex recommends users check the “Disconnect connected devices after password change” box.

“This will additionally disconnect all of your devices (including any Plex Media Servers you own) and force you to reconnect with your new password. It’s a hassle, but we recommend doing this for security increased,” the company said.

Related: Twilio Hacked After Employees Tricked Into Giving Up Login Credentials

Related: Media Streaming Company Plex Hacked, Blackmailed

Related: Plex Media Server Abused For DDoS Attacks

Ryan Naraine is editor of SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a seasoned cybersecurity strategist who has implemented security engagement programs for major global brands including Intel Corp., Bishop Fox, and Kaspersky GReAT. He is co-founder of Threatpost and the SAS Global Conference Series. Ryan’s previous career as a security journalist included articles in major technology publications, including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World. Ryan is a director of the nonprofit organization Security Tinkerers, an advisor to startup entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous columns by Ryan Naraine:
Key words:

Maria H. Underwood