American streaming service Plex has urged its customer to change their passwords following a third-party data breach that allowed unauthorized access to users’ emails, usernames and encrypted passwords.
In a statement sent to Plex customers and posted on its forum, the company said it had “discovered suspicious activity on one of [its] databases” on August 23, 2022 and had investigated the activity immediately. The company said that it “does appear” that a third party was able to “access a limited subset of data that includes emails, usernames and encrypted passwords”.
The statement noted that it was “out of an abundance of caution” that Plex was requiring all customers to reset their passwords, as those that may have been accessed in the breach were “hashed and secured in accordance with best practices”.
The company recommended that customers use its feature to sign out of all connected devices following the password change to increase their account’s security. They should also enable two-factor authentication if they have not already done so.
While Plex said that it had identified how the third party gained access to the database, it did not share the method with customers. The company noted that it was working to mitigate the incident and to prevent further ones from happening in the future, and that it will “never be complacent in hardening [its] security and defenses”.
Tough day for @plex pic.twitter.com/daAqJFwfZU
— Naz Markuta (@NazMarkuta) August 24, 2022
Unfortunately, this urge to reset passwords has led to many Plex customers complaining that the site itself was down, with one Twitter user remarking that it was a “tough day for Plex”. Another said that the site’s crashing was “interesting timing given the data breach and hack yesterday and off the back of an urgent password reset”.
As the website appears to be functionally normally at time of writing, the service disruptions were most likely the result of a high increase in traffic to the site follow the password reset instruction.
Is the @plex website down for anyone else or just me? Seems interesting timing given the data breach and hack just yesterday and off the back of an urgent password reset.
— Ryan Morrison (@RyanMorrisonJer) August 24, 2022
Other streaming sites have been a target for third-party data breaches
This not the first time a streaming site has been the victim of a third-party data breach. Video game streaming service Twitch reported a data breach in October 2021 which exposed Twitch creator payout as well as data from Twitch’s source code repository.
No login details or payment information were exposed during the breach which took place as an unauthorized third party gained improper access to Twitch’s servers following a configuration change.
Twitch required all users to reset their stream keys to protect themselves. It is a special piece of code required for users to enter before they start recording which allows Twitch’s software to communicate with the device used to record and stream the video content created.
Streaming services like Twitch and Plex are targets for data breaches as they hold a large amount of customer data. Additionally, users for streaming services may reuse the same login details for multiple services, increasing the amount of data hackers have access to.
Interested in gaining more insight from the cyber security community? Become a member of CS Hub today!
What is a third-party data breach?
A third-party data breach involves someone from outside a company gaining unauthorized access to sensitive data, often via more vulnerable avenues including business partners, suppliers or vendors. Third-party data breaches can utilize a number of techniques like phishing in order to bypass the systems a company has in place and gain access to its data.
Ash Hunt, group head of information security at Sanne Group, notes that due to third-party risk, organizations have had to completely reengineer perceptions around having a stake in external parties’ security postures.
“Previously [third-party risk management] was very much focused on issuing one due diligence questionnaire and hoping it is sufficient, now it needs to focus more of an analytical position where you’re actually conducting risk analysis,” he says.
Each touchpoint to an organization is likely to have different risks and loss exposure dependent on how close it is to an enterprises network. This extensive analysis must include forecasting and exploring where an organization is most vulnerable.
Hunt explains that to mitigate this risk, companies must create a trusted catalogue of external parties by using a vetting process. This catalogue must be safeguarded by a central service management platform or handled by a vendor management team. No matter what, there must be sufficient oversight regarding onboarding and managing external parties.
“I guarantee most organizations don’t have that. It all comes down to having a robust governance process over how your managed those vendors as an organization,” Hunt shares.