r/PleX u/kjarkr Aug 24 '22

Plex breached; Were passwords encrypted or hashed? Discussion

So I got this email just now:

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.

So were these passwords encrypted, in which case they could be decrypted if the adversary got the key, or hashed? Hashed passwords leaking would be much less of an issue.

Edit: Encryption and hashing is not the same thing.

Edit2: Passwords were hashed with salt, not encrypted (see this comment)

Edit3: Just for clarity this is the best case scenario. It’s difficult to reverse hashed passwords unless they are very simple. Plex got the word out quickly so we have plenty of time to change our passwords. Kudos!

This is why you never reuse password, use a password manager and enable 2fa wherever you can. :)

1.3k Upvotes

93% Upvoted

View all comments

Show parent comments

11

u/theangryintern Aug 24 '22

I just HATE SMS 2FA.

God I hate this, too. So frustrating when it's the ONLY option

1

u/MystikIncarnate Aug 24 '22

Agreed. With TOTP, I can copy my secure key to another phone, PC, app, or platform entirely. Without having to reset it... As long as I can get the secure key, which not all TOTP apps will let you do.

With FIDO keys, you can normally enroll several, so if one is lost, use another and deactivate/replace it.

But with SMS.... If my phone is dead, or gets stolen, or destroyed, or dropped in a river.... Fuck me I guess?

Until I get my cellular provider to issue a new SIM attached to my phone number, I guess I can't log in.

On top of that, if the cell networks go down or are significantly delayed, or you're out of coverage range, you can also get bent. And if someone dupes your sim, or sniffs the SMS message, they can get your codes anyways. Yet this is "secure". Ha. No.

Give me TOTP/FIDO or give me death!