A Plex data breach has exposed usernames, email addresses, and encrypted passwords. As Troy Hunt, Microsoft Regional Director, said on Twitter “Aw crap, I’m pwned in a @plex data breach. Again. I can’t do anything to *not* be in a breach like this (short of not using the service)”

The scale of the security failure is not yet known, but the company is requiring all users to change their passwords and to turn on two factor authentication. Plex is one of the largest media server apps available, used by around 20 million people to stream video, audio and photos they upload themselves, in addition to an increasing variety of content the service provides to paid subscribers.

Plex this morning emailed all users to advise them that a third party was able to access “a limited subset of data,” but did not reveal how many accounts were affected.

Other users have been able to change their passwords, but are experiencing other difficulties when logging in again. A number of users report getting “Not authorized” or “You do not have access to this server” messages for their own servers. Some report success when logging in and claiming the server again, though others have had no luck with this.

It appears Plex has not arranged sufficient additional bandwidth to cope with the flurry of password change attempts. Additionally, the password reset page asks for the new password before the existing one, which is obviously unexpected and may account for some of the failures.

The streaming media platform Plex have suffered a data breach as they ask users to reset their passwords.

Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Ed Macnair
Ed Macnair , CEO
InfoSec Expert
August 25, 2022 1:24 pm

Users should not be perplexed about the need to change their password. Plex is also highlighting the need to upgrade to two-factor authentication to best protect their data. Stringent password policies and two-factor authentication act as a good first line of defence. But that’s not a belt and braces approach to security.

There needs to be a move towards what Gartner have termed “SaaS-delivered Identity and Access Management”: where organisations apply identity-aware, context-based security to their whole ecosystem. It’s only by doubling down on security that we can protect ourselves against these types of targeted cyber-attacks.

Last edited 3 months ago by Ed Macnair
Geoff.fisher
Geoff.fisher , Sr. Director, Product Management
InfoSec Expert
August 25, 2022 1:13 pm

It appears Plex has put forth a sound incident response, and what appears to be many security best practices, but suffered an additional blow due to resources issues that further crippled their system when users attempted to change credentials en masse. What’s interesting is the potential fallout stemming from the tech “savviness” of Plex’s subscriber base and how they will respond to this breach. There could be implications down the road.  

Ultimately, this intrusion reinforces the seemingly age-old adage to avoid the reuse of passwords. As a call to action, users should heed the recommendation to change their Plex credentials and utilize the available multi-factor authentication. More importantly, they should ensure they never reuse passwords across applications or platforms. This can’t be overstated because a successful attack can happen against any organization, so it’s important to do your part with password variations to mitigate the fallout.

Last edited 3 months ago by geoff.fisher
2
0
Would love your thoughts, please comment.x
()
x