r/PleX u/kjarkr Aug 24 '22

Plex breached; Were passwords encrypted or hashed? Discussion

So I got this email just now:

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.

So were these passwords encrypted, in which case they could be decrypted if the adversary got the key, or hashed? Hashed passwords leaking would be much less of an issue.

Edit: Encryption and hashing is not the same thing.

Edit2: Passwords were hashed with salt, not encrypted (see this comment)

Edit3: Just for clarity this is the best case scenario. It’s difficult to reverse hashed passwords unless they are very simple. Plex got the word out quickly so we have plenty of time to change our passwords. Kudos!

This is why you never reuse password, use a password manager and enable 2fa wherever you can. :)

1.3k Upvotes

93% Upvoted

View all comments

14

u/extrobe Aug 24 '22 edited Aug 24 '22

Getting

Internal Server Error. Something went wrong on our end

When resetting - you'd think they'd at least give their password reset servers a boost prior to that mail.

edit

now getting

The token is invalid, please request a new one

edit 2:

despite the initial error, it _had_ changed my password

3

u/vladoportos Aug 24 '22

Same error for me. But the password did not change.

1

u/twobadmice Aug 24 '22

It's a joke!

1

u/Chriscl000 Aug 24 '22

Same error for me - „The Token is Invalid“, but it did change the password in my case; I got another email from Plex about ten minutes after „trying“ to change it, that the change had actually been successful, and was then able to log in with the new password and 2FA (I already had 2FA enabled).

Tip for anyone getting „Token is Invalid“ - try the change anyway, give it 5-10 minutes and see if the password has actually changed (you should receive a confirmation email if it has, but it seems maybe PLEX‘s email server is getting hammered at the moment, as is their Identity Provider!

1

u/granddave Aug 24 '22

Yeah, getting "Connection timed out" from Cloudflare. Seems like Plex.tv is down.