We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.

What happened

An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.

Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.

What we’re doing

We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.

What you must do

If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.

If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

Additional Security Measures You Can Take

We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.

Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.

For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset

  • Phoenixz@lemmy.ca
    link
    fedilink
    English
    arrow-up
    12
    arrow-down
    1
    ·
    2 months ago

    Not entirely

    Firstly you don’t “generate hashes until there is a match”. You can generate hashes until the end of the universe and you’ll still have only a fraction of all possible hashes.

    What typically is used are large lookup tables with hashes from known passwords. You can then take that table, take a hash you got, and look it up.

    So firstly, hashes should be salted, and if salted correctly, it’s already extremely much harder to use because these tables no longer work. There are few more things you can do but that pretty much is a hard wall already.

    The problem is that many corporate systems out there have horrible security. They either use a hash that has been known to be broken since a long time ago (hello LinkedIn), don’t use salting (hello linkediiiiiinn), or don’t use hashing at all.

    It’s because of idiots like these that there are so many accounts with password tables out there

    What to do?

    Use password managers. Now all your site’s have different, safe passwords and you only need to know one. Use 2FA where possible and supported

    • Mose13@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      2 months ago

      Can you also use a list of common passwords and a ruleset you apply to those common passwords, and then hash(applyRule(commonPassword), salt) == compromised hash ?

      • Phoenixz@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 month ago

        That’d basically how these hash tables work, they have the account and hash and known password so you can do rapid lookups

      • AA5B@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        I’m not entirely sure what you mean but my password manager alerts when the hash of one of my passwords matches one from a dark web data dump, and prompts me to replace it with a newly generated one.

        I’m sure it’s not a unique feature

        Admittedly I do have a few bad password, a combination of I don’t see how I could care (like a Reddit alt account) and sites that break the password change automation (yeah I’m lazy)

        • Mose13@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 month ago

          I wonder how that works. The point of password hashing is to uniquely scramble your password. So userOneHash(“password”) should give a different output than userTwoHash(“password”) even if they use the same password. So your password manager shouldn’t really be able to generate the same password hash since an infinite number of hashes can be generated from the same password.

          • Phoenixz@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 month ago

            A hash is just a mathematical algorithm that generates a somewhat unique number from any input, and usually in such a way that the tiniest difference generates a completely different hash.

            I can put a single letter in a hash, I can put the entire Bible in a hash, I can put the entire universe in a hash, the output is always the same amount of bytes.

            For example, if I have a hash algorithm that generates a two letter hash, a-z, then the input “Lemmy” could give me “WK” while “Lemmx” (literally one bit difference in binary) could give me “AV”. If I put the Bible in there, I could get out “XX”, for example.

            The same input always generates the same output, and another important tidbit: hashing is always one way, you can’t do it in reverse.

            Also important, as you probably already noticed: the hash contains (usually, but not necessarily) much less information than the original input. This means that at some point, two different inputs can generate the same output, that’s called a collision.

            If the entire world would use the same hash all the time, and users would all use the same password for every website, then all the hashes for all the websites would be the same.

            Now, humans are humans, and most humans use a fairly limited set of passwords. Sole people try to be ingentilent by replacing “s” with “5”, thinking that computers won’t get that.

            Then, somebody started compiling a list of all known passwords with all variations and put them in a table. Then they went over each password, and hashed it with a bunch of well known hashing algorithms. Those tables, called rainbow tables iirc, are super easy and fast lookup tables if you have a hash and want to see what password it could have been.

            Now what can websites do to protect against this? They can “salt” the password by prefixing then with a random text string only known to the website. If I download the database of that website, all the hashes will now be different and I won’t be able to do the lookup anymore. Better even would be to also include the user id in there, making it even harder to decipher.

            What can users do? Don’t use those “Kn0w13DgE” passwords, use a random string of characters. Use unique passwords for each site. Use a password manager which will do both for you so you won’t have to remember anything