Plex Media Sever forum’s registered users received an email from the firm announcing that a breach of their system has exposed private data linked to their accounts.
The company’s official email instructs users to immediately change their passwords even if they have stored them in an encrypted form, that is, hashed and salted. Also, the message suggests that it is highly unlikely to retrieve them in plain text format.
The message begins as: “Sadly, we became aware this afternoon that the server which hosts our forums and blog was compromised. We are still investigating, but as far as we know, the attacker only gained access to these parts of our systems.”
The company assured paying customers that card-oriented information wasn’t at any risk at all because this sort of data is never stored on Plex servers ever.
Most affected ones are Plex forum users because their IP addresses, email addresses and private messages all got exposed.
According to the company spokesperson, the investigation has been initiated but the flaw exploited was probably related to PHP/IPB.
Company gave away the same monotonous and conventional pieces of advice by recommending users to select new passwords. The message stated: “Choose a strong password, never share it, and never re-use passwords for different accounts!”
Allegedly the hacker published a post on Reddit claiming that Plex must pay 9.5bitcoins ($2,427 / €2,190) till tomorrow otherwise the user data will be leaked into the public domain.
If the company fails to pay the ransom by July 3rd, hacker stated that the amount would increase to 14.5bitcoins ($3,705 / €3,340).
“Eventually if no BTC payment is made, the data will be released via multiple torrent networks and there will be no more plex.tv,” said the hacker.
Also, hacker noted that it didn’t matter who pays the fee and users may also contribute to avoid their data from being leaked.