A server hosting the forums of Plex, the popular digital media streaming service, has been hacked. According to Security Week an attacker, ‘using the online moniker “savaka,” posted a message on the hacked Plex forum claiming to have obtained customer data, software and files. The hacker says he wants Plex to send him 9.5 Bitcoin (roughly $2,400) to a specified address until [sic] July 3. If his demands are not met, he threatens to leak all of the stolen data.’
Plex confirmed the incident in an apologetic blog yesterday:
At approximately 1pm PDT yesterday (July 1st) we learned that the server which hosts our forums and blog was compromised. The attacker was able to gain access to some personal information, such as IP addresses, forum private messages, email addresses, and encrypted (hashed and salted) passwords for our forum users. As a precaution, we reset the plex.tv passwords of all users with linked forum accounts and reached out via email with further instructions for those affected. At this time, our forums remain offline while we complete our investigation. All other systems are online and operational.
We have no reason to believe that any other parts of our system were compromised, and we never store credit card or other payment data on our systems.
It’s worth taking a moment to remind everyone that it’s super important to choose strong passwords, never share them, and never re-use them on different sites.
At the time of writing, the forum remains unavailable. According to The Verge, Plex “declined to pay the ransom”.
Password best practice
Plex raises an important point about passwords. Microsoft’s Security Intelligence Report (SIR), Volume 17 noted that “What makes stolen account credentials so valuable to cybercriminals is the extent to which users reuse their account names and passwords across different sites and services”.
After all, it’s far easier for criminals to use stolen credentials to sign in to a targeted system than it is to hack it. The reason passwords remain a common point of intrusion for cyber criminals is simple: far too often, default passwords are left unchanged, or weak and easily cracked passwords are employed by lazy users.
In the case of Plex, the passwords were hashed and salted, but if they weren’t – or if hackers manage to decrypt them – there would be wider implications: when a website compromised and login details are stolen, criminals will immediately automate attacks using those username/password combinations to see what else they can gain access to.
Password reuse is rife, so the statistical chances of criminals gaining access to multiple sites with a single set of stolen credentials are vast. This is why it’s so important for organizations to require their staff to follow best practice for password security.
The use of strong passwords – and changing them regularly – is one of the many requirements of an information security management system (ISMS) as set out in the international standard ISO 27001. An ISO 27001-compliant ISMS focuses on people, processes, and technology, ensuring a holistic approach to information security across the organization.