Card data not exposed, passwords hashed and salted

Jul 2, 2015 13:22 GMT  ·  By

Registered users of the Plex media server forums have received an email from the company today informing of a breach that exposed private data tied to accounts.

The official message (embedded below) instructs users to change their passwords, even if they were stored in an encrypted form (hashed and salted) and there is little chance to retrieve them in plain text.

Change Plex password

“Sadly, we became aware this afternoon that the server which hosts our forums and blog was compromised. We are still investigating, but as far as we know, the attacker only gained access to these parts of our systems,” the communication begins.

Paying customers were assured that card-related information was not at risk at any time because this type of data is not stored on Plex servers at all.

Forum users are the most affected, as their IP addresses, private message and email addresses were exposed. A company representative has said that the investigation is ongoing but the vulnerability exploited was most likely related to PHP/IPB.

The same old but mostly ignored pieces of advice for choosing a new password were passed to impacted users: “choose a strong password, never share it, and never re-use passwords for different accounts!” For handling the secret strings, Plex recommended the use of a password manager for safe storage of the unique strings.

Hacker asks for ransom to be paid

A post on Reddit, allegedly from the perpetrator, claimed that Plex had until tomorrow to pay them 9.5 bitcoins (currently $2,427 / €2,190) or the user data would be spilled into the public domain. If the ransom is not paid by July 3, the attacker said that the fee would increase to 14.5 bitcoins (currently $3,705 / €3,340).

“Eventually if no BTC payment is made, the data will be released via multiple torrent networks and there will be no more plex.tv,” the hacker allegedly said, before Plex confirmed the incident.

The note from the perpetrator also said it did not matter who pays the ransom, and users can also contribute, in exchange for having their data removed from the leak.

Email From Plex