In an email to users, Plex admitted that the hacker had been able to access the IP addresses of users, private messages, email contact details and encrypted password hashes.
“Sadly, we became aware this afternoon that the server which hosts our forums and blog was compromised. We are still investigating, but as far as we know, the attacker only gained access to these parts of our systems. Rest assured that credit card and other payment data are not stored on our servers at all.”
Personally I would have preferred to see the firm not embed a clickable reset password link into its notification email, as that’s precisely the kind of trick used in phishing attacks.
Plex said it was advising users to change their passwords, and to ensure that they were not using the same password elsewhere on the net. That’s good advice, after all if you re-use passwords it only takes one website to be hacked for you to suffer a world of pain.
Furthermore, Plex wisely recommended that users run a password manager (they suggest 1Password, which is an excellent choice but others are available…) to store their passwords securely and generate complex, hard-to-crack passwords.
From the sound of things, only Plex users who have registered on the company’s forum need to be concerned at this stage – so don’t be surprised if you are a customer of the company but have not received a notification email.
A (now removed) post made by the hacker on the Plex forum described his ransom demands:
My name is savaka and I like to hack things. Recently https://plex.tv/ (s) forum & website was compromised by me. I managed to obtain all of your data, customers as well as software and files.
I replaced the index.php of the administrator cpanel with a nice message, but the ones in charge of your data decided that it would be pretty lulzy’ to remove the message and place the original index back there.
I gave them until the 3rd of this month to send 9.5 BTC to [redacted] or I would release all this data.
This ransom is still active and on the 3rd: if no BTC payment is made, the ransom wll go up by 5 BTC.
Eventually if no BTC payment is made, the data will be released via multiple torrent networks and there will be no more plex.tv
You can also pay me to remove your data from the content that’s going to be released by e-mailing “savbtc@[redacted]” – If you send an e-mail without BTC ready to send, I will add your data to a special list.
P.S I don’t care who the BTC comes from as long as the payment is made: no data will be released.
Plex co-founder Elan Feingold responded on Reddit, confirming that computers running the online forum had been “definitely compromised”, most likely due to a “PHP/IPB vulnerability”. He went on to say that there was no reason to believe that any other parts of its infrastructure was compromised.
Obviously giving in to blackmail is never a good idea, as there is no guarantee that the extortionist won’t simply ask for more and more money.
Instead, invest the money in better security – and perhaps either patching your software, or getting a solution which is more capable of defending itself against future attacks.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.