We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
No security guy, but if the passwords were just hashed and not salted it’s not ideal. Better than plaintext for sure though.
EDIT: Plex employee confirmed they do salt (and pepper, which I’m less familiar with), the last time they were hacked and had passwords exposed, fwiw.
If they were hashed then they were likely salted too, not much reason to not do both. Especially since they said “in accordance with best practices”, otherwise they’re just lying lol. They probably just didn’t want to make the announcement too technical.
@Die4Ever @papertowels indeed, I’d bet that’s the case. And hashing without salting would be a blatant violation of best practices. Along similar lines, for “best practices” I would expect that the passwords were actually salted, peppered, hashed with a state-of-the-art algorithm like Argon with a reasonably high difficulty factor, stored in a database server with locked-down internal access, and more stuff I’m not even familiar with. But you don’t put all that in a public announcement of a breach. It’d be neat if they release a postmortem technical report at some point, though, which talks about some of those details.
(And of course I changed my password just in case - it’s easy enough to do.)
#Plex #infosec
I choose to believe this lol
They absolutely would have been salted, as that is best practice. Just not something the average Plex user understands most likely.