Plex, a popular media streaming platform, has issued a warning to its customers regarding a recent data breach. During the incident, a hacker stole customer authentication data. As a result, users are being advised to reset their passwords.
According to Plex, the stolen data includes email addresses, usernames, securely hashed passwords, and authentication data.
In its data breach notification, Plex stated: “We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure. An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.”
The company added that no payment card information was stolen.
As to what this latest data breach means for customers, Karolis Arbaciauskas, head of product at NordPass, has told Digital Journal: “Plex stresses that account passwords were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. But we still recommend resetting passwords. You can do this here. I would also advise enabling the ‘Sign out connected devices after password change’ option and turning on two-factor authentication for added protection.”
Arbaciauskas offers further advice: “For those using SSO to log in, it would be best to log out of all active sessions. That can be done here, by clicking the button ‘Sign out of all devices.’ For step-by-step instructions on how to reset your password, visit this link.”
There are a few housekeeping activities to consider, which Arbaciauskas identifies: “Remember to also inform your family and friends about this change. After a password reset, users will need to log in again on all their devices using the new credentials. A password manager can be helpful for securely generating and sharing these new credentials.”
Another factor is to change passwords if the same password has been used to access other platforms: “Although the company insists the data leak was limited and the passwords were hashed, users should still be extra careful, especially if they reuse passwords. And people do reuse passwords. As many as 62% of Americans, 60% of Brits, and 50% of Germans admit doing so across multiple online accounts, our survey shows.”
Arbaciauskas outlines the risk of not doing so: “For those who reuse passwords, there’s a risk that some credentials may have already been or will be exposed on the dark web. It’s highly probable that malicious actors will attempt to connect the dots and use these previously leaked passwords to gain unauthorized access to Plex accounts.”
Arbaciauskas further cautions: “Remember that after major data leaks, social engineering attacks tend to intensify. So users should be a bit more suspicious for some time. Be wary of unsolicited emails and messages, even if they seemingly are from Plex or even the police. If you receive such messages, be extremely careful because links can lead to pages that are designed to steal even more of your data. If you are not sure about the email or a message, it is better not to click on the link. In its breach notification, Plex also emphasizes that it never reaches out over email to ask for a password or credit card number for payments.”
