Streaming service suffers data breach

Twenty-five million users urged to reset passwords

Media streaming platform Plex has told users to reset their passwords following a data breach that exposed customer authentication data.

In a forum post on 8th September, Plex confirmed that an "unauthorised third party" had accessed a subset of customer data from one of its databases.

The company described the impact as "limited" and said the intrusion was quickly contained.

However, the compromise still affected sensitive information including usernames, email addresses, authentication data and securely hashed passwords.

Plex said payment card information was not exposed because it is not stored on its servers.

"Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party," Plex wrote.

The company said it contained the incident quickly, but did not share details about the method used for the breach or the specific hashing algorithm applied to the passwords - raising concerns that attackers could still attempt to crack the encrypted credentials.

As a precaution, Plex is recommending all users reset their passwords and select the "Sign out connected devices after password change" option.

Doing so will log out all devices currently using those credentials, requiring users to log back in.

For those who use single sign-on (SSO) to access Plex, the company recommends logging out of all active sessions to ensure account security. It also encourages enabling two-factor authentication for added protection, and reminds customers it will never request passwords or credit card information by email.

Plex, which allows users to organise and stream their personal libraries of movies, shows, music, photos, and more, is estimated to have over 25 million active users worldwide.

This is not the platform's first security incident. A similar breach occurred in August 2022, again exposing authentication data and hashed passwords.

Last month, Plex patched a vulnerability in its Plex Media Server software (versions 1.41.7.x to 1.42.0.x) after a security researcher reported the flaw through its bug bounty programme.

Cybersecurity expert Kev Breen from Immersive commented on the breach, noting that the complexity of streaming platform infrastructures - which include cloud storage, content delivery networks, APIs and user-facing applications - creates multiple attack paths.

He cautioned that stolen data could be used for identity theft, phishing, or extortion schemes targeting Plex users.

"As well as personally identifiable information, streaming platforms also store data on user preferences, meaning attackers can develop more targeted social engineering campaigns. Such data is likely to be leveraged by cybercriminals to extort money from Plex, as well as for identity theft and phishing campaigns.”

He added, "Plex is unlikely to be used in an enterprise setting. However, people often re-use passwords or follow patterns when creating them. This means that a user affected at home could also have an impact on organisations.

"Users should make use of free services such as Have I Been Pwned to check for data breaches, which have become more common in recent years, and take action if notified that their credentials have been compromised."