- Pluto TV continues to play down the user data leak that has appeared on the dark web a few weeks back.
- Thousands of users are getting password reset requests, though, and the DMs directed to the company stay unanswered.
- Pluto TV unofficially stated that the event is not severe enough to send out notifications to the affected users.
A large number of Pluto TV users have received password reset requests, indicating that someone who knows their email address is attempting to take over their accounts on the platform. Indeed, there’s a new database circulating the dark web at the moment, which appears to belong to Pluto TV, the American online TV service.
We reported about this three weeks ago and warned that even though the data appears to be old, it could still be exploited by hackers.
The 3.2 million records include email addresses and usernames, IP addresses, device platform, and birth dates. Unfortunately for the hackers, the passwords contained in the database are hashed with the bcrypt algorithm, which is practically impossible to crack. Pluto TV has remained silent about all that has been going on in the past month, not admitting a data breach and letting it pass as a typical credential stuffing attack - which it clearly isn’t.
Thousands of users have sent DMs to the company, asking for action and explanations, but they have not received any response even after days of waiting. This is totally unacceptable for a company that touts respect towards customers, but it could be due to being overwhelmed. Possibly, Pluto TV doesn’t want to misinform customers before they have a concrete explanation to give, but they should at least provide some kind of assurance.
Motherboard managed to extract a statement from the company, saying that the matter remains under investigation. As they explained, the breach was very limited and didn’t include usable passwords. Thus, it is not considered a serious security incident, so there has been no proactive notice on the exposure.
This isn’t a satisfying response, though, as the exposed users are still running the risk of getting scammed or phished. Additionally, weak passwords can still be cracked even if they are hashed with bcrypt.
As Troy Hunt (creator of “Have I Been Pwned?”) commented, even the exposure of an email address alone should constitute a serious enough reason to send out notifications. The researcher finds Pluto TV’s reasoning completely nonsensical and characterizes it as inconsistent with people’s expectations.