Media Streaming Service Hacked; No Support for Two-Factor Authentication
Plex, a media streaming service, announced that their forum and blog servers were hacked - meaning your email address, IP address, forum messages and encrypted (hashed and salted) password may have been stolen. As of now, their forums are offline while they investigate.
Plus, they’re being blackmailed - in a statement reposted on reddit, someone named ‘savaka’ claimed responsibility for the hack, stating they had “managed to obtain all of your data, customers, as well as software and files.” They are holding the data ransom until they receive 9.5 Bitcoins, stating they would release the data on torrent networks if they aren’t paid.
While it’s not yet confirmed by the company, co-founder and CTO Elan Feingold replied on reddit they were still investigating, and that it was likely the forums machine was compromised via a PHP/IPB vulnerability. As a precaution, the company reset all plex.tv passwords for users with linked forum accounts.
Another reddit poster mentioned that users should also update their Plex passwords in the following apps:
- Couchpotato (for notifications and library updates)
- Sonarr / Sickbeard (for notifications and library updates)
- Plexwatch (for shared user notifications)
Their blog also encourages using a password manager like 1Password or LastPass to generate strong passwords for different sites and services. However, since LastPass recently suffered a breach, it’s also a good idea to use two-factor authentication, a best security practice that is supported by LastPass.
I also searched through their support FAQs thoroughly, and couldn’t find any mention of whether or not they support two-factor authentication. When I googled “Plex two-factor authentication,” the first hit revealed that people on reddit like to complain about Plex security, apparently.
One poster urged users to not only have a strong, unique password for their Plex accounts, but to also ask for two-factor authentication - “hooking in two-factor authentication to the Plex login will prevent unauthorized users from logging in without a second device.”
Authentication security seems to be an issue with other entertainment/media websites, as twofactorauth.org reveals that mostly none of them support two-factor authentication. Those sites include Hulu, Last.fm, Netflix, Plex, SoundCloud, Spotify, TIDAL, Twitch and a few other video streaming sites. Only YouTube supports two-factor authentication, which is most likely just a side effect of merging with Google logins.
Perhaps now that they’ve been breached, there will be a far greater outcry for two-factor authentication support for the service.