Plex users may want to change their passwords as soon as they're able. The digital media player and streaming service said a bad actor had infiltrated its system in a letter sent to users affected by the breach. In it, the company has revealed that it immediately started an investigation after it saw suspicious activity in one of its databases. Based on what it saw, Plex said it does appear that a third-party entity got access to a subset of its data, which includes people's emails, usernames and encrypted passwords.
Even Troy Hunt of Have I Been Pwned was affected. As he noted in his tweet, there's nothing anyone can do to be exempt from service hacks, but using a password generator and 2FA make their impact much less severe. To note, he encountered an error while trying to change passwords and found that not signing out existing devices made the switch go through.
Aw crap, I’m pwned in a @plex data breach. Again. I can’t do anything to *not* be in a breach like this (short of not using the service), but a @1Password generated random password and 2FA enabled makes this a mere inconvenience rather than a genuine risk. pic.twitter.com/XetB3IGUh3
— Troy Hunt (@troyhunt) August 24, 2022
Plex said it has already addressed the method the bad actor used to infiltrate its system, but it didn't elaborate on what method that is or what vulnerability the hacker exploited if any. The company also vowed to do additional reviews to make sure its systems are "further hardened to prevent future incursions." For now, Plex is requiring all users to change their passwords "out of an abundance of caution" even if all the passwords the hacker got access to were hashed. It also assured all users in its letter that it doesn't store credit card numbers and other payment data in its servers, so the bad actor wasn't able to get access to them.