Does anyone know offhand what hashing was/is employed on the Plex passwords. I feel like Plex should disclose this information as part of this breach. For those of us who use unique passwords, this is not an issue - but let’s face it… most do not. The first order of business after someone has run off with a login database is to determine the plain text passwords - usually using a rainbow table (CAPEC - CAPEC-55: Rainbow Table Password Cracking (Version 3.7)) and a cluster of GPUs (usually using a stolen cloud account). If Plex was using a strong hashing technique, this will take some time for the attacker to pull off. However, if they were not using a password worthy hashing system, or even worse… were not using one at all… then the attacker may already have determined the plain-text passwords and can use that information to breach other accounts or access plex servers.
Their announcement states “all account passwords that could have been accessed were hashed and secured in accordance with best practices”. Best practices are pretty well established for passwords at this point in the industry. If they truly are using best practices, then no harm will come from disclosing what those practices actually are.
Plex should disclose this information today if they value transparency and trust with their users.
I have no idea, but it’s already clear that they value transparency and trust.
Data breaches are incredibly common, but being fully transparent about them is not. Even less common is notifying users the morning after the activity is noticed.
I think their actions so far have been amazing and should be seen by everyone as the perfect example of what to do after a breach. Let’s see if they keep that going by sharing the details of what they were doing before the breach, and what they’re doing after to prevent it.
I don’t expect any more info today - they should be busy dealing with the disruption. They got the most crucial notices sent out already; huge kudos to them for that. Give it a week
I completely agree that announcing the breach right after it occurred is absolutely above and beyond the industry norm (by a long shot). However, the industry norm is borderline criminal so comparing Plex to say… T-Mobile (the poster child of ludicrously bad security) is not really useful in this context.
Let’s say Plex pointed out that they were hashing passwords with either PBKDF2 or Argon2 with sufficient iterations and a proper salt… if I used the same password in other places, I know that I need to update it in those places (and hopefully adopt better password practices) - but I don’t need to drop what I am doing this morning to do so. In other words - its important to take care of but not an absolute emergency.
If on the other hand they pointed out that they were using Sha1 with no salt (i.e. plain text passwords already likely revealed), then we know we need to track down everywhere important the password could have been used immediately.
Also, everybody uses the “best practices were followed” wording when disclosing this stuff - so much so that it has lost meaning. T-Mobile follows best practices, but they have a major breach at least once a year like clock work. Is it too much to ask for the timely disclosure as to what those best practices are? Just because doing so is WAY above and beyond the norm, if nobody ever presses for more - the norm will never change.
in other words, since the passwords are so secure there really isn’t any point in all this change password panic going on the whole day here on Plex and massive amount of threads about not being able to claim back their servers.
While we’re still investigating the extent of the breach, there is a risk that tokens may have been compromised, which is why we’re asking everyone to change their password, and sign out all devices.
