- About 3.2 million records belong to users of the ‘Pluto TV’ service are now circulating the dark web.
- Someone is freely sharing the data pack on a dark web forum, claiming that it’s the work of ShinyHunters.
- The data is two years old, but scammers and phishing actors could still use them.
Approximately 3.2 million user records that apparently belong to the ‘Pluto TV’ platform are being freely distributed on a dark web forum by a hacker. Usually, we see such moves after the stolen data has already been exploited by the hackers who got to steal it or the first “exclusive” buyer.
In this case, too, the name of the notorious data broker “ShinyHunters” is involved, although the user who is distributing the data is using a different nick.
Indeed, those who have seen samples of the data confirm that they appear to be around two years old, with the most recent record dating back to October 12, 2018. This means the actors who performed the security breach on Pluto TV have had ample time thus far to exploit it in every possible way.
As for the validity of the entries, there’s no doubt about it. The data that is included in the packs include the following:
- Email address
- Passwords (bcrypt hashed)
- Dates of birth
- Device platform
- IP address
Pluto TV is a Los Angeles-based TV service founded in 2013 and bought by ViacomCBS in 2019. The platform is free to use and follows an ad-support business model, allowing users to select programming content and consume it in a “traditional” linear viewing way. The platform has optional registration, which is there to help users retain their settings and content preferences. If you belong in this category of users, you should reset your password on the platform and anywhere else where you may be using the same credentials.
Since email addresses are included in the data, phishing and scamming is also a possibility. IP address gives away someone’s location, and dates of birth allow threat actors to set up trickery like claiming that you have a gift on the post, for example. Scammers will try anything to trick you, so if you are a registered Pluto TV user who joined before October 2018, beware.
The platform had failed to inform the users of this leak when it happened, and since it’s under new ownership now, there can be no attributions pointed to them anymore. Possibly, “ShinyHunters” or the hackers to did this exfiltrated the data without leaving a trace, so Pluto TV never realized the breach.