Media Server Company Plex Hacked – Forum Servers Affected, But Payment Info Safe

Plex, a popular application that lets users organize and stream their media collections across devices, has been hacked. However, the attackers were only able to compromise the servers hosting the company’s forums and blog – not account information or users’ financial data, the latter which Plex says is not stored on its own servers at all.

That being said, many Plex users had forum accounts which are linked to their Plex.tv account, which means that both accounts have been compromised as a result of the attack. As a precaution, Plex is blocking those users from accessing their accounts until they complete a password reset.

The hack itself took place on July 1st, and the hacker claiming to be responsible took to the forums, saying they had “obtained all of your data, customers as well as software and files.” The hacker also demanded a ransom, payable in the form of Bitcoin, or else the data would be released by way of “multiple torrent networks,” this person said.

Plex co-founder and CTO Elan Feingold responded, noting that the forums machine was “definitely compromised, likely via PHP/IPB vulnerability,” but Plex had “no reason to believe that any other parts of our infrastructure was compromised.” In addition, he noted that the forums run on a separate machine than the Plex.tv cluster. The worst case scenario, Feingold also said, would be if the hacker was able to reserve the hashes on forum passwords and then sign into Plex.tv using that info. (Of course, since many people re-use their passwords around the web, the ramifications of the hacker doing this could be worse. But this seems unlikely to occur – the hacker was probably hoping for a quick payday.)

Since the hacker doesn’t seem to have gained full access to Plex systems, users’ personal data and other payment data is safe. That being said, the company notes that the hacker was able to gain access to IP addresses, private messages, email addresses and encrypted forum passwords (hashed and salted.) Though the passwords are encrypted, the company took the precaution of requiring users to change their passwords.

Users were alerted to the issue by way of an email. The email was only sent out to those whose forum accounts were tied to their Plex accounts, though, which means you may not have received it, even if you’re a Plex user yourself.

The company says that when its investigation is complete, it will post further details on its company blog. That post has not yet gone live, and the Plex forums remain down for the time being as Plex continues to research the situation.

UPDATE: The blog post is live, but contains no new information. The company maintains that it doesn’t believe any other parts of its system beyond the forums and blog were compromised.

plex-letter