The media streaming platform Plex has asked customers to change their passwords after unauthorized access to a database containing customer data. The attack resulted in the theft of email addresses, usernames, hashed passwords, and authentication data.
According to BleepingComputer, the passwords were hashed in accordance with current best practices. However, Plex did not disclose which algorithm was used. This means there is a possibility that malicious parties will attempt to crack the hashes. As a precaution, all users are advised to reset their passwords immediately via plex.tv/reset.
Plex recommends using the option that automatically logs out all connected devices after the change. This ensures that active sessions that could potentially be exploited by third parties are terminated and that users must log in again with their new credentials. Users who log in via Single Sign-On must take an additional step: they must manually log out of all devices via plex.tv/security and then log in again with their new login details.
No credit card details leaked
The company emphasizes that no credit card details were stolen because such information is not stored on its servers. In addition, Plex recommends that users enable two-factor authentication for extra protection of their accounts. Plex says it has now closed the method used by the attacker to gain access. However, the company is not sharing any technical details about the attack or the origin of the breach.
This is not the first time Plex has asked customers to change their passwords after an incident. In August 2022, the company was hit by a similar data breach. Then, too, hashed passwords and authentication data fell into the wrong hands.
Plex apologizes for the inconvenience and states that internal detection systems helped to quickly identify the incident. The company says it will implement further security measures and build in additional controls to prevent a recurrence and maintain the trust of its customers.