Streaming media platform Plex has reported a hack and urges millions of its users to change their passwords urgently.
During the attack, the attackers managed to gain access to the database and steal data, usernames and email addresses belonging to at least 15 million people.
Let me remind you that we also wrote that Attackers Stole Credentials from Twilio Employees and Eventually Hacked the Company.
Letters that the administration of Plex sent out to users reported that the attackers were able to gain access to a “limited subset” of accounts.
However, the company encourages all users to change their passwords as soon as possible. However, Plex does not force password resets, and when you try to log in with old credentials, you are not prompted to reset your password. Everything will have to be done manually, and after changing the password, it is recommended to log out of all connected devices, and then log in again.
Also, Plex VP of Engineering Schuyler Ullman told TechCrunch that user account passwords are hashed (essentially encrypted so that it is impossible for a human to read and decrypt them) using the stronger bcrypt algorithm and further protected by cryptographic concepts known as salting and peppering. This makes it much harder for attackers to decrypt stolen passwords.
The Plex developers claim that they have already determined how outsiders were able to access the database and fixed the problem. However, the company does not disclose any details about the attack and the measures taken after it.
Interestingly, the plex.tv website has been down for quite some time, and it is not entirely clear whether this was due to unauthorized access to the database or the platform was subjected to a separate DDoS attack. Some users believe that the servers simply could not withstand the influx of people wanting to change the password.