Plex website page with magnifying glass showing data breach forced password reset

Plex Data Breach Forces Password Reset for Millions of Users

Plex issued password reset notices after detecting a data breach after an unauthorized party accessed a user account information database and accessed a limited subset of data.

The Los Gatos, California-based media company did not disclose the number of impacted users. However, Plex spokesperson said most registered users, numbering about 30 million, were affected by the August 24 data breach.

Plex media streaming services allow users to watch media content such as television, movies, audio, and pictures, with the option of pausing, saving, and resuming broadcasting content.

Plex password reset was a “necessary precaution” after a “limited” data breach

Plex acknowledged the “limited” data breach in an email statement sent to millions of impacted customers.

“Yesterday, we discovered suspicious activity on one of our databases,” Plex wrote in an emailed data breach notification. “We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.”

However, the threat actor did not access credit card and other payment data because the media streaming platform does not store that information on the compromised server.

Additionally, Plex asserted that the compromised account passwords were hashed and secured using the industry’s best standards. According to company officials, Plex uses the one-way bcrypt hashing algorithm with salting. Bcrypt also generates unique salt for each password, thus preventing the attacker from deciphering the salt generation pattern. This practice increases the complexity of generated hashes, increasing cracking time and reducing the attacker’s ability to obtain plain text passwords sustainably.

However, the streaming platform advised users to reset their passwords out of “an abundance of caution.” Additionally, they should terminate all logged-in sessions to dislodge any possible rogue devices connected to their accounts after the data breach.

“Even though it looks like only the password hashes of impacted users have been stolen, Plex is appropriately telling people to change their passwords,” Roger Grimes, data-driven defense evangelist at KnowBe4, said. “This is because it’s quite easy for attacks to do password hash cracking (i.e., guessing) to turn stolen password hashes into the user’s plaintext password, in most cases.”

Grime added that attackers could rent password cracking infrastructure on the cloud for $50-$100 and guess trillions of passwords per second. Additionally, user-generated passwords had to be 20 characters long to withstand password cracking. With password reuse, simple passwords, and existing cracked password dictionaries, attackers had a chance of exploiting leaked hashed passwords.

Recommending password reset, Grimes stated that “most people’s passwords will fall within just a few hours to maybe a day of guessing.”

Plex provided step-by-step instructions for the password reset process. However, a few customers complained of problems while resetting passwords or re-authenticating.

“It appears Plex has put forth a sound incident response and what appears to be many security best practices but suffered an additional blow due to resources issues that further crippled their system when users attempted to change credentials en masse,” Geoffrey Fisher, Sr. Director, Integration Strategy at Tanium, said. What’s interesting is the potential fallout stemming from the tech “savviness” of Plex’s subscriber base and how they will respond to this breach. There could be implications down the road.”

Users warned of social engineering and phishing attacks

Meanwhile, Plex said it rectified the security flaw exploited by the attacker and took additional steps to harden its systems to prevent a similar data breach in the future. However, the streaming platform did not disclose the attack vector exploited by the attacker in the latest data breach.

Plex also warned users of social engineering and phishing attacks, adding that it never requests credit card numbers or account passwords via email.

“As a call to action, users should heed the recommendation to change their Plex credentials and utilize the available multi-factor authentication,” Fisher said.

While a password reset was necessary, Plex users should explore additional strategies for protecting their accounts from potential data breaches. These methods include enabling multi-factor authentication and using a password manager to generate, store, and autofill strong passwords. Similarly, they should perform a password reset on websites reusing the leaked credentials.

“While the compromise of account credentials certainly means that Plex users should change their existing passwords on the platform as soon as possible, one of the bigger concerns of any data breach involving the compromise of credentials is follow-on password reuse attacks on other platforms using the stolen account information,” said Crane Hassold, Former FBI Analyst and Director of Threat Intelligence at Abnormal Security.

Hassold explained that cybercriminals exploit people’s habit of reusing email and password combinations across various websites, thus increasing the impact of a single data breach.