Plex Breach Exposes Account Data, Including Passwords

Plex has warned its customers of a security breach, after a ‘third-party gained access to its system’.

The American streaming media service sent out an email to its customers on Wednesday notifying them of a security breach that may have compromised account information.

Compromised account data includes usernames, email addresses, and passwords. Plex’s message reportedly says “all account passwords that could have been accessed were hashed and secured in accordance with best practices.”

Plex breach

Plex is still advising all users to change their passwords immediately and upgrade to two-factor authentication if that’s not already in place.

And the good news is that it seems that financial information has not been compromised

Plex is one of the largest media server apps available and is used by around 20 million people to stream video, audio, and photos they upload themselves, as well as an increasing volume of content the service provides to its paid subscribers.

One such Plex user is Troy Hunt, creator of the Have I Been Pwned website, where people can check if their information has been compromised.

He took to Twitter and published a copy of Plex’s email to its customers.

Hunt wrote that thanks to his use of a random generated password and 2FA (two-factor authentication), his risk has been reduced to an inconvenience.

“We want to you to be aware of an incident involving your Plex account information yesterday,” the Plex email states. It said it believes the actual impact of this incident is limited however.

“Yesterday, we discovered suspicious activity on one of our databases,” it said. “We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.”

It said that even though all account passwords that “could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.”

Plex assured customers that credit card and other payment data were not stored on its servers at all, and were not vulnerable in this incident.

The cause of the breach has been found, and Plex says it has taken action to prevent others from taking advantage of the same security flaw.

“We’ve already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions.”

Password security

One security expert noted that improved password policies and two-factor authentication are not the only step that should be followed.

“Users should not be perplexed about the need to change their password,” said Ed Macnair, CEO of cybersecurity provider CensorNet. “Plex is also highlighting the need to upgrade to two-factor authentication to best protect their data.”

“Stringent password policies and two-factor authentication act as a good first line of defence,” said Macnair. “But that’s not a belt and braces approach to security.”

“There needs to be a move towards what Gartner have termed ‘SaaS-delivered Identity and Access Management’: where organisations apply identity-aware, context-based security to their whole ecosystem,” said Macnair.

“It’s only by doubling down on security that we can protect ourselves against these types of targeted cyber-attacks,” he concluded.

Password reuse

Another security expert warned of the dangers of password reuse, and noted a system error at Plex when users attempted to change their credentials.

“It appears Plex has put forth a sound incident response, and what appears to be many security best practices, but suffered an additional blow due to resources issues that further crippled their system when users attempted to change credentials en masse,” said Geoffrey Fisher, senior director of integration strategy at Tanium.

“What’s interesting is the potential fallout stemming from the tech ‘savviness’ of Plex’s subscriber base and how they will respond to this breach,” said Fisher. “There could be implications down the road.”

“Ultimately, this intrusion reinforces the seemingly age-old adage to avoid the reuse of passwords,” Fisher added. “As a call to action, users should heed the recommendation to change their Plex credentials and utilise the available multi-factor authentication.”

“More importantly, they should ensure they never reuse passwords across applications or platforms,” said Fisher. “This can’t be overstated because a successful attack can happen against any organisation, so it’s important to do your part with password variations to mitigate the fallout.”