Plex warns users to reset passwords after breach

A well-known streaming platform, Plex, which has over $25 million subscribers across the world, admitted that it experienced a data breach of one of its user databases. The firm reported that the stolen data contained usernames of the customers, email addresses, scrambled passwords and some authentication information. 

Although Plex pointed out that the stolen passwords were scrambled in a manner that human beings could not read them, it is not clear whether the hackers could make any effort to crack them.

The firm advised users to reset their passwords through its password reset feature, and it also advised users to log out of all the devices they were connected to. Yet, contrary to several other companies that experienced such breaches, Plex did not impose a catastrophic reset of its passwords; the decision was left to its users.

The reason why the Response of Plex is so exceptional

It is a norm that organizations that have experienced data breaches take stringent preventive measures, in most cases compelling all affected customers to change their passwords immediately. This will make sure that, although the stolen data may be cracked, the hackers cannot have access to accounts. 

The pattern of Plex only suggesting password resets, and not mandating them, creates concerns about the seriousness with which the company is taking this threat.

The company, too, has been imprecise about the volume of the breach. It has not disclosed the number of accounts that were exposed, the time of occurrence and the duration the attackers had gained access. This kind of inadequate detail can make the users uncertain of the degree of risk they are exposed to.

The Hush on the Technicalities

The other issue is that Plex would not provide crucial technological information. The company refused to answer when questioned about what hashing algorithm it employs to scramble passwords. 

There is a wide variety of hash functions. The modern tools can break some older or weaker algorithms, and the attackers can decipher the passwords. In the absence of such information, users cannot determine whether their data is highly secure or not.

This ambiguity is applied to other areas of the breach. Plex has not outlined the kind of cyberattack that occurred, be it a system vulnerability, targeted attack or insider threat. Neither has the company clarified that it was demanded to pay some ransom by the hackers. All this leaves things uncertain, and mistrust is heightened by silence in cybersecurity.

Risks for Plex Users

In the meantime, it is recommended that Plex users take the warning seriously. Scrambled passwords can also be cracked, even sometimes, when they are weak and even when they are used by more than one account. 

Hackers do not waste the opportunity to use stolen data along with other leaks to gain access to accounts with other services. It implies that a Plex user who uses the same email and password to visit another site may risk losing not only their streaming account.

Plex does not impose password resets, which makes it the customer’s responsibility. Individuals who disregard the advice can be exposed to actual dangers in case the stolen authentication data has the potential to be exploited by attackers.

A Pattern in Data Breaches

Plex incident brings to light a larger problem within the tech industry. Data breaches are not new, and they affect even the companies that can boast of millions of users. 

However, most organizations do not communicate effectively with customers following such incidents. Giving empty promises that are not specific can hurt trust more than the violation itself.

Being transparent on what took place, how attackers got access and how users can be protected, goes a long way in eliminating panic and builds confidence. The little disclosure made by Plex is indicative of the fact that certain companies are yet to strike the right balance between public relations and user safety.

What Comes Next

There will likely be increased pressure on Plex both by users and security experts to publish more information. Regulators can also demand more disclosure in certain areas, particularly in Europe, where there are stringent laws on the protection of data. 

Meanwhile, the most appropriate action customers can take is to change their Plex password as soon as possible, replace it with a strong and unique one and turn on extra security options whenever available.

Another lesson gained as a result of the breach is that in the digital age, security and trust are two qualities that go hand in hand. The way in which Plex manages the aftermath can be as significant as the breach itself.