Hi at all,
After The Breach, I got messages from my Bank that I try to use one of my CC. I bought PLEX Pass with this one.
Thanks
Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
What about users that log on with Gmail account. Do they need to change their Gmail password?
1 Like
No, that is not necessary.
There is no way for an attacker to get from a Plex account back to the federated authentication provider (i.e. Google, Facebook, Apple…)
1 Like
Thank you for the answer. Much appreciated.
Be advised that your Plex account does have a regular password (additionally to be linked to Google).
Which means that you still need to change that password.
Do it here https://app.plex.tv/desktop/#!/settings/account (if you still know this password)
I am shocked. Password just changed. Now no unauthorized person can access all my very private data.
- How can I contact the Plex security team?
- What information was captured?
- What information was in this database?
- Has the address, phone number, email addresses, usernames, bank details been stolen?
- What about information from server libraries?
There is a lot of sensitive information in the Plex, very private. Just from the file names in the photo library you can see where we were on vacation, where we live, the name of our dog, our friends, when our children’s and friends’ birthdays are, who got married and when, etc…
Can’t tell if serious… But either way you should really read the Plex team’s full post on this. They only got email addresses, usernames, and hashed+salted+peppered passwords, meaning that the passwords were encrypted and encrypted in a way that’s nigh impossible to decrypt without the keys which they don’t possess.
1 Like
and yet they urge everyone to change their “uncrackable” passwords …
As opposed to the recent news of the LastPass breach? Id say this Plex breach is the least of everyone’s worry. Every news outlet and YT channel has ADVISED all their viewers to change their Plex password despite it being a none issue. FFS, just do what was required via the email and let this go. Plex already made it clear that no payment information was accessed. I am known around here for being dramatic and outlandish with my statements but this one issue is not as bad as it would have been. I’m imagining how furious I’d be had I NOT had 2FA as an option on the Plex platform. How many times do we have to see posts of Plex accounts needing password resets all because people forgot them? It’s considered IT support 101. Password resets are a normal and everyday activity for lots of people. While it is a headache, it makes sense to just stop whining and do what’s necessary, something you’d be doing anyway with your bank accounts.
If someone were to take the stolen list of compromised hashed passwords, they would have to spend the insane amount of time reverse-hashing your particular password-hash in order to find the original password text. This could take weeks or even months (Unknown how large the hash algorithm they used) to crack your password. Even then, this would only apply to a single account, as each account uses a unique salt as part of the hash, so they would have to try every single possible letter/number/special-character combo on every single account. So they would most likely focus on publicly well-known accounts rather than a random account like yours.
Even then, all they do is the ability to log into your account. This would then allow them to inflict chaos upon your settings, including password change and deauthorizing your devices. This WOULD allow them to see your server content as well. But if you change your password as they suggested/demanded, then this is not a problem.
As for what the hackers have now is basic plex-side account information (that they have “promised” is basic mostly-worthless stuff if you change password). Plex intentionally does not collect any information on what your personal servers contain/provide, for pretty much this reason (and more).
I too had fraud on my credit card that I used for the Plex Pass right before this breach was announced. Had to cancel my card and get a new number. It’s seems too coincidental that is was not related. Not very “rest assured”.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
