The streaming media service Plex confirmed today that it suffered a security breach and sent an email to its customers asking them to change their passwords.

In the email, Plex revealed that Tuesday it “discovered suspicious activity” happening on one of its databases and immediately began investigating. The company said that it discovered that a hacker had gained access to a “limited subset of data” that included emails, usernames and encrypted passwords.

Plex maintains one of the largest media streaming platforms in the world serving more than 25 million registered users. It also allows users to stream movies and live television as well as audio, video and photos hosted on their own home media servers.

All account passwords and usernames accessed were hashed with encryption. That means that they were scrambled in a fashion that makes them unreadable and inaccessible without a specific encryption key. Plex did not reveal the technology used to encrypt them. That doesn’t mean that the encryption cannot be broken given enough time and effort.

As a result, Plex is requiring that users reset their passwords “out of an abundance of caution.”

The company added that credit card and payment data is not stored on its servers, so the attacker could not have accessed it.

So many users rushed to the Plex servers in an attempt to reset their passwords that many began to report that the process was slow or intermittent.

Plex did not log out users to force them to reset their passwords. So users who are currently logged in will need to reset their passwords manually and those already signed out will be asked to reset their passwords upon sign in.

The company also offers two-factor authentication, which uses a secondary form of verification aside from a password to heighten security. For example, when logging in from a new location, the server may send a code via text message on a phone to verify the user when logging in.

Troy Hunt, the creator of Have I Been Pwned, a website that aggregates emails that have been leaked, had originally revealed the email sent by Plex. He said using a password manager such as 1Password or KeePass to avoid reusing passwords could further increase security. Users who use the same username and password combination across multiple services they can leave themselves open to being hacked.

Plex did not reveal any details on the attack itself except that the company has “already addressed the method the third-party employed to gain access to the system” and that the team is doing additional reviews to ensure that it cannot happen again.

Image: Plex