Jul 3, 2015
7:52:08am
7:52:08am
Plex accounts hacked
I've been a huge proponent of Plex, ever since they got their start a few years ago. I've posted many threads about the Plex systems that I have up and running, and I think I helped motivate many on this board to use the system for media.
So, I figured I'd stop by here and let everyone know that Plex cannot keep their servers safe, and has lost all of their users' email addresses and passwords. Huge facepalm on their part, as the attack was stupidly simple and their security architecture significantly lacking in sophistication. In their official response, Plex claims that there's no way that the attackers could have gotten the passwords... after speaking with some folks 'in the know', I suspect that they are talking out of their backsides.
Due to user password fatigue, I bet many of you used email addresses and passwords for Plex which were identical or very similar to those of logins that really mean something to you (like credit card loyalty programs, etc. - more on this later). As a result of the loss of the Plex password database, I'd highly recommend that anyone change their passwords, not only on Plex, but on every other account that has a similar username/password combo.
Why is this important? There is a group of online miscreants who have created a polymorphic password cracking mechanism which they usually direct at loyalty program sites. They feed this cracker with credentials stolen from online databases like that which was just stolen from Plex. Say you had a password of Password!, their cracker will try Password1, Password@, Password2, etc. against sites like Capital One's rewards, hotel and airline rewards, etc. They get into those accounts (which typically have much lower security requirements than online banking, etc.), but then monetize that access by converting the points in the accounts to gift cards, which they then use to buy merchandise, which they ship to mules, who then sell that merchandise and then return the hard cash to the attackers.
So, if you value your stuff, change all of those passwords.
So, I figured I'd stop by here and let everyone know that Plex cannot keep their servers safe, and has lost all of their users' email addresses and passwords. Huge facepalm on their part, as the attack was stupidly simple and their security architecture significantly lacking in sophistication. In their official response, Plex claims that there's no way that the attackers could have gotten the passwords... after speaking with some folks 'in the know', I suspect that they are talking out of their backsides.
Due to user password fatigue, I bet many of you used email addresses and passwords for Plex which were identical or very similar to those of logins that really mean something to you (like credit card loyalty programs, etc. - more on this later). As a result of the loss of the Plex password database, I'd highly recommend that anyone change their passwords, not only on Plex, but on every other account that has a similar username/password combo.
Why is this important? There is a group of online miscreants who have created a polymorphic password cracking mechanism which they usually direct at loyalty program sites. They feed this cracker with credentials stolen from online databases like that which was just stolen from Plex. Say you had a password of Password!, their cracker will try Password1, Password@, Password2, etc. against sites like Capital One's rewards, hotel and airline rewards, etc. They get into those accounts (which typically have much lower security requirements than online banking, etc.), but then monetize that access by converting the points in the accounts to gift cards, which they then use to buy merchandise, which they ship to mules, who then sell that merchandise and then return the hard cash to the attackers.
So, if you value your stuff, change all of those passwords.
Originally posted on Jul 3, 2015 at 7:52:08am
Message modified by m4t4d0r on Jul 3, 2015 at 7:54:15am
Message modified by m4t4d0r on Jul 3, 2015 at 7:58:27am
- Previous username
- MSCoug
- Bio page
- m4t4d0r
- Joined
- Jul 14, 2001
- Last login
- Apr 29, 2024
- Total posts
- 8,423 (12 FO)
