American streaming service Plex has urged its customer to change their passwords following a third-party data breach that allowed unauthorized access to users’ emails, usernames and encrypted passwords.
In a statement sent to Plex customers and posted on its forum, the company said it had “discovered suspicious activity on one of [its] databases” on August 23, 2022 and had investigated the activity immediately. The company said that it “does appear” that a third party was able to “access a limited subset of data that includes emails, usernames and encrypted passwords”.
The statement noted that it was “out of an abundance of caution” that Plex was requiring all customers to reset their passwords, as those that may have been accessed in the breach were “hashed and secured in accordance with best practices”.
The company recommended that customers use its feature to sign out of all connected devices following the password change to increase their account’s security. They should also enable two-factor authentication if they have not already done so.
While Plex said that it had identified how the third party gained access to the database, it did not share the method with customers. The company noted that it was working to mitigate the incident and to prevent further ones from happening in the future, and that it will “never be complacent in hardening [its] security and defenses”.
Tough day for @plex pic.twitter.com/daAqJFwfZU
Unfortunately, this urge to reset passwords has led to many Plex customers complaining that the site itself was down, with one Twitter user remarking that it was a “tough day for Plex”. Another said that the site’s crashing was “interesting timing given the data breach and hack yesterday and off the back of an urgent password reset”.
As the website appears to be functionally normally at time of writing, the service disruptions were most likely the result of a high increase in traffic to the site follow the password reset instruction.
Is the @plex website down for anyone else or just me? Seems interesting timing given the data breach and hack just yesterday and off the back of an urgent password reset.
This not the first time a streaming site has been the victim of a third-party data breach. Video game streaming service Twitch reported a data breach in October 2021 which exposed Twitch creator payout as well as data from Twitch’s source code repository.
No login details or payment information were exposed during the breach which took place as an unauthorized third party gained improper access to Twitch’s servers following a configuration change.
Twitch required all users to reset their stream keys to protect themselves. It is a special piece of code required for users to enter before they start recording which allows Twitch’s software to communicate with the device used to record and stream the video content created.
Streaming services like Twitch and Plex are targets for data breaches as they hold a large amount of customer data. Additionally, users for streaming services may reuse the same login details for multiple services, increasing the amount of data hackers have access to.
A third-party data breach involves someone from outside a company gaining unauthorized access to sensitive data, often via more vulnerable avenues including business partners, suppliers or vendors. Third-party data breaches can utilize a number of techniques like phishing in order to bypass the systems a company has in place and gain access to its data.
Ash Hunt, group head of information security at Sanne Group, notes that due to third-party risk, organizations have had to completely reengineer perceptions around having a stake in external parties’ security postures.
“Previously [third-party risk management] was very much focused on issuing one due diligence questionnaire and hoping it is sufficient, now it needs to focus more of an analytical position where you’re actually conducting risk analysis,” he says.
Each touchpoint to an organization is likely to have different risks and loss exposure dependent on how close it is to an enterprises network. This extensive analysis must include forecasting and exploring where an organization is most vulnerable.
Hunt explains that to mitigate this risk, companies must create a trusted catalogue of external parties by using a vetting process. This catalogue must be safeguarded by a central service management platform or handled by a vendor management team. No matter what, there must be sufficient oversight regarding onboarding and managing external parties.
“I guarantee most organizations don’t have that. It all comes down to having a robust governance process over how your managed those vendors as an organization,” Hunt shares.
A phishing-based attack on Twilio has led to a potential 1,900 Signal users phone numbers being acce…
A USB-based worm first discovered in 2021 has been linked to activity by Russian hacking group EvilC…
Uber has reached a non-prosecution settlement with the US Department of Justice following the coveru…
Fraudsters have been posing as legitimate US investment firms in order to steal millions from crypto…
Hospitality group Marriott International has sufferred a data breach as hackers gained acccess to 20…
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.