Plex said in a message to users that a hacker had been able to access the IP addresses of users, private messages, email contact details and encrypted password hashes.
The motive for the attack appears to be money. According to security researcher, Graham Cluley, the hacker (who went by the name of savaka) posted a ransom note on the Plex forum (which has since been removed) demanding 9.5 Bitcoins by 3 July, rising by 5 Bitcoins if the sum had not been paid by then.
Cluley told SCMagazineUK.com it would be unlikely that Plex would pay as it would leave the company open to further exploitation. It would be far better, he added, if Plex spent the proposed ransom money on improving security. “They will need to run an internal investigation into precisely what went wrong, and put processes and technology in place to prevent it from happening in future. It may be that they weren't keeping their forum software up-to-date or that they configured it incorrectly,” he said. “Maybe they were using weak passwords or were re-using passwords, and that helped the hackers.”
He added that the company needed to look more closely at its security procedures. “Are they keeping their systems updated with the latest patches, have enabled additional security measures that might have reduced the chances of compromise, trained staff to understand the risks,” he said. “One hopes that the board are also now more focused on the importance of security.”
The attack draws attention to the growing threat of ransomware attacks. According to Guillermo Lafuente, security consultant at MWR InfoSecurity, the industry is seeing a rise in this type of attack. “It is an easy way for hackers to monetise their activities,” he told SC, pointing out they're effective “because sometimes companies are too scared to avoid paying the money. A common example is the use of malware that encrypts the files with strong encryption, leaving the victim unable to recover their important files without first paying the funds.”
It was not fully clear how the breach occurred. In a post on the company website, co-founder Elan Feingold said it was “most likely due to a ‘PHP/IPB vulnerability'” but didn't offer a definite cause.
Cluley said this equivocation was wise. “It's not always immediately obvious how a breach occurred. The last thing any firm wants to do is say that they were hacked via method X, only to find out later that it was actually Y or Z,” he added.
However, attempts by the company to put its users' minds at rest failed at the first hurdle when, said Cluley, its email to members included a clickable link, something that could be exploited by criminals. “It's far better to have a message such as ‘Go to our website, and you'll find a prominent link to reset your password'. As the hackers may know your email address, please be very wary of any messages you receive inviting you to click on links – as they could be attempts to phish your credentials,” he said.
