Plex is notifying users that it has suffered an intrusion – sort of.
The popular media server company said that the infiltration exposed a limited amount of an internal server and account data; however, it steered clear of referring to the breach as a data breach in a blog post, titled ‘A Friendly Reminder,’ Monday evening.
“If you are receiving this email, we discovered that potential unauthorized activity had been performed on our Plex Forums [server],” the companie’s security team wrote in the post, “and, as a security precaution, we have securely destroyed all the data (as [in] erased, not recycled) on the server as well as rotated all the associated passwords.”
In an email to customers, Plex said that it had “transferred forums to a more secure system and converted your password to a hashed format.”
However, Plex had an encrypted copy of the data, albeit the company says it was only encrypted twice, once by the old forum software and once by the Plex software.
The company explained how the hackers got into the server, “The hacker was able to access this data for a limited amount of time, by exploiting chink in the old forums software. When we moved to the new forums in January, we switched to Invision Community software. As a result of the move, account passwords were hashed and cannot be viewed, created or used by the software.”
The company said that an unauthorized party had gained access to its emails, as well as the user names, securely hashed passwords and some authentication data that were stored in its systems. Although Plex says the breach was found and contained, it is asking all users to act as soon as they can.
What Plex says was accessed
In a notice to customers, Plex labelled the breach as “a minor security issue” but acknowledged that some user identifiers and password hashes had been compromised. The service noted that “it’s near impossible to enter that exact code in a text box,” but it also emphasized that the passwords “were salted and hashed,” not stored in plain text, a best practice that makes stolen credentials much more difficult to exploit. However, on the off chance the associated authentication information is present, users should invalidate sessions and re-sign devices if used.
Plex says it acted promptly to limit the breach, and is looking into how its attacker accessed the system.
The company apologized for the incident and said it is performing further security assessments in order to strengthen its infrastructure and procedures.
What action users should take now
Change your Plex password immediately, and pick a strong, unique passphrase that you haven’t used on any other site. 2FA is particularly important, and the guidance from NIST and other security standards bodies strongly favours authenticator apps and hardware security keys over SMS codes.
When you change your password, sign out of all devices and sessions on your account’s security page. This would help in invalidating any lost token or existing session that attacker might try to make use of. If you sign in through a third-party identity provider like Google or Apple, revoke active sessions there too, and then sign in again with your new credentials.
Lastly, check your authorized devices, connected apps and server shares. Remove anything you don’t recognize. Beware phishing: hackers routinely exploit breach-related details to craft plausible emails that induce you to “verify” your account. Plex will never ask for your password via email, and you would only access account settings by browsing to it in the app, not clicking links in unsolicited messages.
How safe are “securely hashed” passwords?
Hashing is a process that turns textbox values into single encrypted strings, commonly used to protect stored passwords. When used with an up-to-date algorithm and unique salts, it raises the attacking bar on attackers by preventing simple reversals and rainbow-table lookups. But if an attacker gets only the hashes, he can still try to crack the weak or recycled passwords offline.
So that’s why the importance of unique, high-entropy passphrases matters. A longer passphrase – something along the line of several random words – will make that brute force attack less successful. Password managers can create and save these secrets, and 2FA means that when a password is guessed, there’s the missing second factor.
Credential stuffing and phishing will become more prevalent
Security researchers and incident reports from companies like Verizon and Akamai have consistently identified stolen credentials as a major source of account takeovers. After breaches, often, attackers will use exposed usernames and passwords on many services in a technique called credential stuffing. If you’ve reused your Plex password elsewhere, you should change it on those services immediately.
Attackers are also capitalizing on the news cycle with targeted phishing. Be on the lookout for emails that mention your media library, your subscription or device logins, and prompt you to act right away. 2384205536#> Check Your Sender Addresses, Look Closer at Domain Names, and DON’T DOWNLOAD Attached Files or Enter Your Credentials on Pages Linked To From E-mails. Services like Have I Been Pwned can help you track whether your email appears in known data sets, but always log in by visiting the site directly.
What Plex is up to — and what to look out for
Plex says it’s conducting further audits and strengthening security across the board. Details are scarce at this time but the same prompts that you’ve been treated to will be sticking around, including security reminders, expired sessions and suggestions encouraging 2FA. If Plex pushes new guidance, follow it immediately—to the letter—especially if prompted to reauthenticate devices or regenerate server tokens.
If you are an admin of a Plex Media Server, check your Remote Access settings, refresh any affected API tokens of your own, and re-approver clients who you trust which were affected.
Keep both server software and client apps updated, and limit administrative access to accounts that have strong passwords and 2FA.
The bottom line
Hashing prevents the worst-case scenario, but it does not eliminate risks. The best defense for Plex users is an immediate password reset, a universal sign-out, and strong 2FA. Pair those steps with careful phishing hygiene and a promise to use unique passwords across services and you’ll be out ahead of the downstream attacks.