Posted on August 25, 2022 at 7:42 PM
Plex Sends Password Reset Notification To Users After Suffering From A Breach
Media streaming platform Plex has warned users about a recent data breach that may compromise users’ accounts. The platform has already sent password reset emails to the affected users as a precautionary way of preventing unauthorized access to its database.
Based on the message, the threat actor potentially accessed a limited subset of data, which includes email addresses, encrypted passwords, and usernames.
The notice claimed that all account passwords the hackers could have accessed were secured and hashed in line with best practices However, there is a need to take precautions to have all Plex accounts password reset to prevent any unforeseen risks of exploit.
Account Data Are Safe
Plex also assured users that their credit card and other payment data are not affected by the breach. This is because these vital files are not stored on its servers, which means they were not exposed through the incident.
The company also announced that through its investigation, it has discovered how the third party had access to the database. It has also taken care of the situation to strengthen its systems and prevent a further successful attack on the systems in the future.
Troy Hunt, creator of ‘Have I Been Pwned’, a data breach monitoring service, was also among the affected users, according to the report.
The Actual Impact Of The Breach Is Still Vague
While an investigation into the incident is still ongoing, the impact of the attack and the password reset action has not yet been confirmed by Plex. However, the company classified it as a “limited” impact.
Plex has been contacted for more information about the incident, but the company reiterated that more details will be provided as soon as new information surfaces on the matter. Some reports by the users show that the problem does not have any impact on free accounts. This probably means only paying accounts have been compromised, although it hasn’t been confirmed yet.
In the meantime, the Plex.tv website had experienced an outage and is down as of press time. The status page of Plex has also acknowledged the issue and noted that the problem is under investigation.
It is not known whether the recent outage is related to the breach of its database or whether a separate distributed and denial of service (DDoS) attack targeted the platform.
The company is enforcing password reset through automatic sign-ups. Users may encounter media collection access issues if they keep using their existing devices without logging out of the devices.
Additionally, many users have reported that they are receiving internal error messages when they want to update their account password. At the time of writing, some users are still having this issue and have requested urgent attention from the platform to fix it.
Flex Has Directed Recommendations For Password Reset
Plex has asked users to follow its recommendation following the rest of their passwords to ensure that their accounts are well protected. Also, the platform has warned users who may be sharing the same password or account details with other accounts to reset their passwords there as well. Those who fail to reset their passwords may be exposed to potential credential stuffing attacks either now or in the future. There have been several reported cases where threat actors use stolen username-password pairs to log into the accounts of various platforms to steal information.
While encryption has a level of security over the password, they are not foolproof since hackers with experience can also crack them too. Flex also says that the type of algorithm used in encrypting the passwords will determine how hard they will prove before being cracked. Plex did not provide additional details on the password matter.
Users Have Been Advised To Apply Multi-Factor Authentication
Users have been advised to use multi-factor authentication (MFA) as a way of having an additional layer of security. Plex offers the two-factor authentication protocol as one of the login processes. The platform has advised users to follow instructions to opt-in for the additional layer of security to protect users even when there is a breach on the website. Also, users have been advised to maintain unique passwords across several accounts they keep online. This is because a threat actor can compromise another account using the details of an exposed one when both accounts share the same password.