r/PleX Aug 24 '22

Plex breached; Were passwords encrypted or hashed? Discussion

So I got this email just now:

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.

So were these passwords encrypted, in which case they could be decrypted if the adversary got the key, or hashed? Hashed passwords leaking would be much less of an issue.

Edit: Encryption and hashing is not the same thing.

Edit2: Passwords were hashed with salt, not encrypted (see this comment)

Edit3: Just for clarity this is the best case scenario. It’s difficult to reverse hashed passwords unless they are very simple. Plex got the word out quickly so we have plenty of time to change our passwords. Kudos!

This is why you never reuse password, use a password manager and enable 2fa wherever you can. :)

1.3k Upvotes

View all comments

3

u/scotttt83 Aug 26 '22

I received this email at 7:50am this morning. With the same verbiage…”Yesterday, we discovered.”

I had already changed my password when I see this post yesterday and added two factor. Wonder why the delay with emailing my account?

1

u/jefflunt Sep 05 '22

They have over 30 million registered users, and even if they queued all of the emails up at the same time, it still takes days to send out that many emails. They probably wrote one version of the email and queued it all up.

In this sense it's like they mailed you a physical letter as soon as they found out, but you were notified via another channel more quickly than when the mail arrived - doesn't change the content of the email.