Skip to main content

Plex's forums hacked, user data being held ransom

Streaming service Plex's forums have been hacked, and the hacker is holding the data ransom in exchange for Bitcoin. Plex has announced that the hacker was able to gain access to IP addresses, email addresses, hashed and salted passwords as well as private message. Payment information is not stored on Plex's servers, so that information is still secure.

The streaming service refused to pay the ransom, and has reset the passwords of all affected users. Plex uses a SSO (single sign-on) authentication, so if the hacker were to reverse-engineer the hashed passwords, he or she would be able to gain access to a user's Plex.tv account as well.

The hacker posted about his exploits on Reddit:

I gave them until the 3rd of this month to send 9.5 BTC, or I would release all this data. This ransom is still active and on the 3rd: if no BTC payment is made, the ransom wll go up by 5 BTC. Eventually if no BTC payment is made, the data will be released via multiple torrent networks and there will be no more plex.tvYou can also pay me to remove your data from the content that's going to be released - If you send an e-mail without BTC ready to send, I will add your data to a special list.

Plex confirmed the hack on its official blog, stating that it was looking into the issue:

At approximately 1pm PDT yesterday (July 1st) we learned that the server which hosts our forums and blog was compromised. The attacker was able to gain access to some personal information, such as IP addresses, forum private messages, email addresses, and encrypted (hashed and salted) passwords for our forum users. As a precaution, we reset the plex.tv passwords of all users with linked forum accounts and reached out via email with further instructions for those affected. At this time, our forums remain offline while we complete our investigation. All other systems are online and operational.

If you're a Plex user, we suggest you go ahead and change your password. Be sure to create a strong password that is unique to the service so that it doesn't compromise your account security on other websites. We'll update the article once we have more information.

Source: Reddit, Plex (opens in new tab)

114 Comments
  • What a mean person!
  • Just wondering, but why would anyone care if someone stole their forum logins? Maybe if they used the same logins elsewhere, but other than that?
  • They are claiming to have more data.  Plex says all they could get are the hashed passwords, but the (censored for the kids) says they have more.  That's what they're claiming to have for "ransom".
  • I wouldn't even call them a "person".  They are targetting the wrong people.  What did Plex do to deserve this?
  • There aren't "right" people for such things.
  • I see what you mean, but I meant it as: I support Anonymous attacking ISIS twitter accounts, and things like that. Not hacking Plex or the Ubuntu Forums.
  • They should have asked for payment in Skittles. Just red ones.
  • Disastrous situation for plex. I wonder how they were going deal with it.
  • Resetting peoples passwords like mentioned in the article.
  • Probably charge us more :\
  • OMG! Don't worry, Arno will do the rest
  • Along with ezio :3
  • Don't forget Aiden Pierce!
  • Damn..
  • I suppose this is a tiny bit of a good thing in the fact that they have it in their head that Plex is a big enough company that they can be hacked and ransomed, hopefully they will learn from this and tighten up their security, I'm a Plex user myself, but I'm not worried about this, just change my password, luckily they don't store account details on their servers, I hope they catch this guy, get a job as a hacker or something, go work for NSA, don't steal customers data and ransom it!!!!
  • They have forum account details on their servers.
  • If you had the ability to read English and understand sentences you would know he was talking about bank account details.
  • Da fck is Plex?
  • Asked the same question. I guess the hacker knows what plex is enough to hack em
  • A proprietary spinoff of xbmc
  • Someone's gonna ask what xbmc is next ;O)
  • A piece of software that is now called Kodi
  • The best cross-platform service to stream your film and music collection to various different screens.
  • I would switch to using plex but the two things I require are vob support and metadata support for mymovies, neither of which are possible at this time. So it's really only the best, like most things, depending on your situation.
  • Yeah - I started our hone media collecting with WHS and WMC. All the movies ripped to server in folder format (only previews, PUOs, etc, removed). Plex still, to this day, refuses to support disc images, whether ISO or folder format (which would be an easy conversion back to ISO). I've thus stayed off this now derailed train. :P
  • Haha I've been wondering that as well
  • Dammm every getting hack now a days
  • ya... hacking is everywhere....
  • 9.5 BTC is quite a small amount for something like plex, right?
  • Yes... It is only $2,464 to be exact... Well that is a smart kiddie hacker... Lol... Very smart... For a low price... Lol
  • Why 9.5 BTC? Why not 9? Why not 10? Why not 50? Such an exacting amount leads me to believe that if he got it, it was going to pay for a specific computer upgrade this kiddy wants that Mommy refuses to pay for.
  • 9.5 btc is very small amount... he must be mad.
  • wow. how arrogant. do you even hve BTCs or hacking skills to feel entitled to berate the hackr?
  • The hacker is a twat and a thief. No need for digital currency or hack skills to figure that out.
  • I was thinking the same thing
  • Anyone committing such acts deserves berating.
  • Good luck hacker idiot!
    My password was a unique 20 character random generated password with special characters... :-)
    Also my mail at plex was a unique mailadress used only for plex. That mailbox is closed now... :-)
    Not a problem...
  • Why would you close the mailbox?  Unless you used the same password for both...
  • Why keep it open? I have my own domain name, so I use hundreds of unique email addresses that I give out to people e.g. for Plex it would be plex@mydomain.com; for the Hilton hotel it would be hilton@mydomain.com; for Windows Central it's wpcentral@mydomain.com... that way I know who is spamming me or sold my email to be spammed. I can also block/delete an email address in an instant and know that it will only affect one website or company. Speaking of spam, my Windows Central email IS getting spammed - which means they've either sold the list to someone, or they've had their list compromised. There is no other explanation as I ONLY use it to login here.
  • I've done the same, and have also used different names in my profile info. It truly is amazing how many companies share your information with "business partners" without proper notice. Also stunning, those that do give notice say to allow 6 weeks to add your name to their do not share list.
  • I do the same thing. Funny thing is that if you use Google Apps (I still have a free one that supports way more than 10 accounts), you can do it with aliasas or even + signs. This way, you close an alias and not a full mailbox. Also, with Google Apps (and Gmail too), you can do the + sign trick (mailbox+alias@domain.com). The "+alias" can be tagged and filtered on.
  • Great job telling the world
  • I do the same thing everywhere, as far as passwords and email addresses is concerned. Nice to have your own domain names. I have several domains. Except I usually use 22 to 24 character passwords. Longer on websites that allow it. I don't have to do the typing for it anyway, so I generally make the password as long as the site will accept for the maximum characters, and randomly shorten it so that the lengh of the password also cannot be guessed. There will be no compromises of my data. Even with hashes and salts, it will take them more years than they have left to live to extract the data, and I change all my passwords everywhere I log in on a regular basis, reminded kindly by KeePass to do so. Even if they could do it quickly, I have a small handful of sites that have my financial data of any sort, and those are all changed twice per week. Paranoid much? Yep. Proud of it, too. Never been compromised. And being able to recycle email addresses to keep out spammers is a great thing to be able to do. :)  
  • So if this only affects the forums, I guess only people who go to the forums are affected and it doesn't interfere with the other plex services.
  • Assuming Plex staff was honest about what was taken
  • If they weren't they'll find themselves in very hot water with the law as they're obliged to inform people of the extent of the compromise. Posted via the Windows Central App for Android
  • I'd doubt they'd do that but they aren't most transparent bunch.
     
  • Why would this guy think this would mean there would be no more plex.tv? 
  • The F*&k?
  • We people will dont mind about our personal data if plex give us 1 bit coin each.. In our mail address..
  • Extort them for being extorted?
  • Everyone is getting hacked. Makes you wonder with all the new security measures we have coming (facial recognition, iris scan, etc), will it help? Everything is digital now and so easily broken into
  • That's why you don't store personal information or files online....
  • Should the FBI Cybercrime Division get involved in a situation like this?
  • Just report this to the FBI. He posted about it, shouldn't be hard to nab him.
  • It happens it's part of the internet.
  • It happens all on thepiratebay
  • The hacker gets to see an inordinate number of "When in India?" comments.
  • Tables have turned buddy, now every good thing comes to India, rest world can ask same question.... When in .......????
  • Since when? Ah yes India has the final release of Cortana already, oh wait.....
  • And "Seems faster" (especially lately)
  • Isn't the running joke to spell it "Wen in India?" ;-)
  • The hacker asks to remove all "when in India" comments as for ransom.
  • The hacker would get a lot of "Seems Faster" comments.
  • The first comment would be 'that hack seemed faster' XD
  • We'd see articles about the next MyHackFree App of the day. Instead of a countdown timer, it'd be count up bitcoin timer. Better get the App right when its published.. OR ELSE...
  • My unique windows central email already gets spammed so they probably already have been
  • The lesson here is to make sure you don't use shared accounts and passwords across any sites.
  • Goddamn ... I can't remember that many different PWs
  • There are apps for that.
  • Use LastPass.
  • Same data was stolen from last pass last week...
  • It's not the 80s nobody says hack anymore.
  • Tony is that you?
  • If it's a hack, they say hack. Simple.
  • If it's the government, they will say viewing information on a publicly accessible site is a hack if it suits their needs. HAXOR1!1!1! "My client clicked a link." TERRIST! GITMOOOO"
  • Cyber space is great, but seriously who is next?
  • Why I do not wonder that payment was asked in BTC xD  
  • This must be a kid....who asks for less than $2500 random?
  • yeah, at least ask for "one miiillion dollars"
  • guy obviously didn't get his doctorate in evil.
  • I would have asked for Sharks with laser beams.
  • Yeah, clearly an amateur. Send in Perry the Platypus to foil his eeeeeevil plan. Kid probably won't even graduate high school now.
  • This is why I hate people. Get a fucking life you hacking bastards. I don't use plex, but this does nothing but hurt all those that use it.
  • Well, actually, it reminds the lazy owners of these services to enforce proper security standards.
  • If people wouldn't do this then "proper" security standards wouldn't be necessary
  • The best way to look at it, you wouldn't leave your all the external doors in your house and your physical mail box wide open 24/7. So this is no different, it's only as secure as you make it.
  • On the flip side though, no matter what locks you have, hardened frames, glass, security cameras - if someone wants in they will find a way. The point is, why do it in the first place, the excuse of "well, you didn't protect it enough" doesn't really wash! If someone gets in your locked house and takes your possesions, would it then be your fault for not providing adequate security?
  • Please stop the bullshit
  • Unless you live in Canada
  • I accidentally left my front door wide open for 10 hours while I was at work... came home and nothing was touched #JustAustralianThings
  • Try that in South Aftbuddy xD
  • Wel, actually, it reminds me of lazy users of these services who fail to use a strong enough password!!!!
  • Wow
  • Sounds like a plot for a new Austin Powers movie.
  • Haha :D
  • Wat is bitcoin?
  • Bing it, it takes a lot of time to explain crypto currency.
  • *Google it instead, because Bing is hopeless http://bfy.tw/dvx
  • lol rip for those people
  • Lol I've registered a day before yesterday
  • F*ck hackers using their abilities for evil ends. I hope they can track it's IP over reddit. And now reddit will have a bad name, smh.
  • Well, if he / she was able to hack plex and obtain all that data. Then wouldn't they be able to mask their ip? :P. Lol, think about it. What your saying is equivalent to raiding a safe, then leaving a trail of money notes all the way back to the stash.
  • The ways to mask an ip can vary in security. But each way had a loophole. If someone has the skill to counter-act it (for example the FBI in America, or maybe the company?) They can likely track them.
  • This sucks! I love Plex. Microsoft should just go ahead and buy them before google does. Roku too!
  • Good thing I stopped short of signing up for plex! Should push them to enforce tighter controls. However anything human made will sooner or later crumble either via such events (as chaos is just in our nature - there is no peace without chaos and vice-a-versa) or just through wear and tear.
  • Thank you Aristotle
  • Busted a gut.
  • I think I just stumbled upon a deep speech about our existence and the chaos in our wake XD
  • 2500$ ? that's a joke, right ?! Anyway, it's forum data.
  • Now the service owners and their users have learnt a valuable lesson. Think before you give your personal data to strangers boys.
  • I highly doubt they gave it to them on a silver platter XD but I'm gunna guess its complete humour XD
  • The person that did this needs the same thing to be done to them and everything they have. This ha king bs needs to start being severely dealt with!
  • Wow!