Plex forums compromised - hackers gained IP addresses, passwords, and more

[TopWargamer]

Source: http://www.droid-life.com/2015/07/02/plex-forums-and-blog-hacked-user-credit-card-data-said-to-be-unharmed/

Plex, the wonderful personal server software that myself and many others use, was unfortunately compromised. The server that hosts their forum and blog was subject to a breach by an unknown team of hackers. Don't worry about your credit cards and whatnot, because Plex does not store payment information on the server that was breached, so your payment information is safe. It still wouldn't hurt to check up on your bank account though. Unfortunately the hackers gained access to IP addresses, private messages, email addresses, and encrypted forum passwords.

Plex recommends that if you have a Plex account you should change your password immediately, and they even suggest that you use a password manager. They recommended using 1Password.

But anyways, here's the email I received on the issue:

[FakezZ]

Oh well if they used good enough encryption the passwords are probably safe. But the private messages... Unless they are encrypted too (they should be), then the hackers are in for some weird shit I'm sure

[wpirobotbuilder]

Encryption is useless for storing passwords. You can tell common passwords in a list because they'll all be encrypted the same. And if they store the password hints or encryption key in the database as well, they can figure out what the plain text passwords are. Here's hoping they start using a good method of storing passwords, or use "Sign-in with Google/Facebook"

 

Here's a really cool article on the right way to do password storage:

 

https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/

[colonel_mortis]

Encryption is useless for storing passwords. You can tell common passwords in a list because they'll all be encrypted the same. And if they store the password hints or encryption key in the database as well, they can figure out what the plain text passwords are. Here's hoping they start using a good method of storing passwords, or use "Sign-in with Google/Facebook"

 

Here's a really cool article on the right way to do password storage:

 

https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/

The email says that the passwords were hashed and salted, which is the industry standard for protecting passwords, so the same password will have a different hash for every user because the salt is different.

For those who don't know what salting is, basically the server generates a random string for each user, and saves that in plain text in the database. When the user enters their password, the salt is prepended or appended to the plain text password, then the combination is hashed (a one way encryption, where the same starting value will always give the same result, and it's highly unlikely (though not impossible) that two strings will give the same hash. The only way to get the plain text password back is to brute force it, as long as they have used a secure algorithm like SHA-2). By salting the password, even if multiple users use the same password, they will all be stored differently in the database, so if someone gets hold of the database, they can't just brute force it once and get a list of hash <-> password combinations - they have to brute force it with each separate salt, making plain text password recovery very difficult.

[cyphon21]

-snip-

 

Wow, that's an amazing explanation! Thanks for sharing that.

[TopWargamer]

The email says that the passwords were hashed and salted, which is the industry standard for protecting passwords, so the same password will have a different hash for every user because the salt is different.

For those who don't know what salting is, basically the server generates a random string for each user, and saves that in plain text in the database. When the user enters their password, the salt is prepended or appended to the plain text password, then the combination is hashed (a one way encryption, where the same starting value will always give the same result, and it's highly unlikely (though not impossible) that two strings will give the same hash. The only way to get the plain text password back is to brute force it, as long as they have used a secure algorithm like SHA-2). By salting the password, even if multiple users use the same password, they will all be stored differently in the database, so if someone gets hold of the database, they can't just brute force it once and get a list of hash <-> password combinations - they have to brute force it with each separate salt, making plain text password recovery very difficult.

Huh, wasn't aware that's how it worked. Good to know. Even though the hackers still have the encrypted passwords, it still wouldn't hurt to change your password though... Because who knows, they could break the encryption, but then again, I'm also not entirely sure how this stuff works.

[colonel_mortis]

Huh, wasn't aware that's how it worked. Good to know. Even though the hackers still have the encrypted passwords, it still wouldn't hurt to change your password though... Because who knows, they could break the encryption, but then again, I'm also not entirely sure how this stuff works.

Yeah, changing your password is still advised, because attackers can still retrieve your plain text password. However, by following the industry standards, it has made it much more difficult for attackers to get plain text passwords, so they are likely to only target a small subset of the accounts.

Having read through the source that @wpirobotbuilder posted, it looks like the industry standard is actually for sites to hash your password more than once (like, 1000 times) in a row, and throwing some other tricks in there as well, so that brute forcing it is even more difficult. It's a good article, and if you're interested in how passwords are actually secured, I would recommend reading it.