Streaming media platform Plex has confirmed a data breach and is warning users to change their passwords.
Plex said it discovered the compromise on Tuesday and found the intruder had accessed “a limited subset of data that includes emails, usernames, and encrypted passwords.” Plex vice-president of engineering Schuyler Ullman told TechCrunch that user account passwords are hashed — essentially scrambled in a way that makes them unreadable to humans — using the stronger bcrypt algorithm, and further protected by cryptographic concepts known as salting and peppering, which makes it far more difficult for attackers to unscramble stolen passwords.
Plex said credit card and payment data is not stored on its servers.
Plex is one of the largest media streaming apps, allowing users to stream movies and live television, as well as their own audio, video and photos hosted on their own home media servers. Plex has more than 30 million registered users. Both personal media and streaming customers are affected by the breach, a spokesperson said.
When reached, a spokesperson did not say how many users are affected by the breach, only that “the majority of accounts” are affected, but Plex is asking all users to reset their own passwords. After Plex emailed users about the breach overnight, some said that their password resets weren’t working or were throwing errors when trying to sign out of other connected devices.
Plex said in its email to customers that it has “already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions,” without saying what the cause of the intrusion was.
Details about the incident remain otherwise slim, and Plex has not yet announced the breach on its website or on its social media. Plex spokespeople did not immediately respond to our questions.
Updated with additional information from Plex.