Plex discloses data breach, urges all users to change their passwords

Plex discloses data breach, urges all users to change their passwords right now

Image:
Plex discloses data breach, urges all users to change their passwords right now

On Wednesday, many users reported experiencing issues while attempting to log in to their accounts

Popular home media server service Plex has suffered a data breach and is urging all users to reset their passwords "out of an abundance of caution".

On Wednesday, the firm started sending out emails to users in order to inform them of what has occurred and what they should do next.

Around 20 million users use Plex to stream their own uploaded video, music and photographs as well as the wide range of content that Plex offers to paying members.

According to the firm, an intruder potentially accessed a small portion of users' data, including usernames, encrypted passwords and email addresses.

As payment information is held on several systems, no credit card details were compromised.

"Rest assured that credit card and other payment data are not stored on our servers at all, and were not vulnerable at this incident," Plex said.

It added that "even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution, we are requiring all Plex accounts to have their password reset."

There is no indication of the hack having allowed access to personal media libraries.

On Wednesday morning, many users reported experiencing issues while attempting to log in to their accounts.

Troy Hunt, a security expert, shared a screenshot of errors he received when trying to access his account.

A Plex representative told Ars Technica that user passwords were hashed using bcrypt, one of the most effective password-protection algorithms, which automatically adds cryptographic salting and peppering to make cracking more difficult.

The company said it has discovered how the databases were accessed and has taken steps to prevent such an incident from happening again. Further security measures would be taken into consideration after an assessment is completed, it added.

Although the data leak may not have affected all users, Plex is recommending everyone with an account to change their passwords to ensure safety. Here is a tutorial on how to reset your password if you use Plex.

After changing the password, the company suggests logging out of all linked devices and then logging back in as a precaution.

Two-factor authentication for Plex accounts is available and strongly recommended. Users should also change their passwords on any other websites using the same credentials.

The incident comes days after crowdfunding giant Kickstarter emailed around 5 million members and asked them to change their passwords, without providing any explanation.

After users raised concerns about a potential data breach, a company spokesperson clarified that the firm had not been hacked, and that the organisation was encouraging users to set a password for their accounts if they had not already done so. That included users who initially created their accounts using only their Facebook login information.