Media streaming platform Plex said Wednesday that hackers gained access to a private database and stole passwords, usernames and emails of at least half of its 30 million customers.
“Yesterday, we detected suspicious activity in one of our databases,” company officials wrote in an email sent to customers. “We immediately launched an investigation and it appears that a third party was able to access a limited subset of the data that includes email messages, usernames, and encrypted passwords.”
The email said the passwords were “hashed and secured according to best practices,” meaning that the passwords were cryptographically shuffled in a way that required attackers to allocate additional resources to crack the hashes and return them to their plaintext state. A Plex spokesperson said that passwords have been hashed using bcrypt, among the most powerful algorithms for protecting passwords. bcrypt automatically applies what is known as cipher salting and forging to make cracking more difficult.
However, the company requires all customers to reset their passwords. The step by step instructions are over here. For good measure, the company advises to log out of all connected devices after changing the password and then log back in.
The email also mentioned that the payment card details were not stored in the database that was accessed, and therefore are not affected by the hack.
Several people reported that they had trouble logging into their account on Wednesday morning. Security researcher Troy Hunt Spread Screenshot of the errors he received when trying to sign in to his account.
Two Ars employees said they also initially had trouble accessing their accounts but eventually succeeded. A third person connected to Ars reported their password being reset and received an email from Plex right afterwards asking them to reset their password again. The email sent him in a loop when he couldn’t sign in with the new password.
Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or local media servers. A Plex spokesperson said the company has more than 30 million registered users and that the majority of them have been affected by the hack.
The notice issued on Wednesday said that company officials had already disclosed and repaired the means used by the hackers to gain access to the database. Engineers continue to perform additional reviews to prevent similar violations from happening again.
“Typical beer trailblazer. Hipster-friendly web buff. Certified alcohol fanatic. Internetaholic. Infuriatingly humble zombie lover.”