I fully agree: Companies and their leadership should be held accountable when they cut corners and disregard customer data security. The ideal solution would be that a company is required to not store any information beyond what is required to provide the service, a la GDPR, but with a much stricter limit. I would put “marketing” outside that boundary. As a youtube user, you need literally nothing, maybe a username and password to retain history and inferred preferences, but trying to collect info about me should be punished. If your company can’t survive without targeted content, your company should not survive.

In bygone days, your car’s manufacturer didn’t know anything about you and we still bought cars. Not to start a whole new thread, but this ties in to right-to-repair and subscriptions for features as well. I did not buy a license to the car, I bought the fucking car; a license to use the car is called a lease.

In some ways 2fa is a weak spot even disregarding recovery processes being open to social engineering, now you’re giving a verified identifier uniquely tied to you

I generate unique email addresses and passwords for every account but can’t realistically do that with phone numbers

2fa by sms or voice isn’t especially secure anyway since you’re open to sim attacks and social engineering. I have a lot more hope for Passkeys but don’t really trust the practical advice arts of managing them yet

Ok, but what if it’s only hashed 80 000 times? Should I sue my provider?

Jellyfin doesn’t even have write access to my files. If they can get access into the container’s process then I guess they could add stuff to the web interface which could contain bad stuff.

It matters if someone manages to hide an exploit in jellyfin’s codebase, or more likely, a popular plugin. I imagine many folk have permissive outgoing firewall rules, in which case, an exploit could establish connectivity. Whether that eventually leads to privilege escalation on the jellyfin host would depend upon other variables.

edit: I should add that I’ve not used jellyfin and am unfamiliar with how plugins are implemented. I don’t want to speak out of turn, only to suggest, in the abstract, that just because software isn’t exposed to the net, doesn’t mean it cannot harbor exploits that could become problematic. Plugins just seem to be a common vector for such types of software.

Well. If you’re not streaming why have such a service in the first place? If I didn’t stream remotely with Plex (and share with my friends and family) I’d just go back to running Kodi on my htpc like I did ten years ago.

Lack of built-in 2FA for one thing

NaCl

Yes, the salt is stored right alongside the username and hashed password. The point of the salt isn’t to be unknown; It’s to make every single password unique before it gets hashed, which invalidates the hackers’ pre-generated rainbow tables. It forces them to re-generate their table for each user. Even identical passwords will create different hashes, because the salt is different for each user. Essentially requiring the hacker to brute force every single password, even after they have the database downloaded.

Basically, the hash algorithms are known. There are a few common ones, but they’re all reliable. A rainbow table is generated by running potential passwords through each hash, and saving the results. For a simplified example: maybe for a certain hashing algorithm, “password” generates the hash “12345”. I have a pre-generated table with millions of potential passwords that tells me as much. And I have repeated this for all of the most popular hashes. This gigantic database (literally hundreds of GB in size) of millions of potential passwords and resulting hashes for the most popular algorithms is my rainbow table. This took hours of cooking my CPU to generate.

So I hack an unsalted password database, and find a bunch of hashes that are listed as “12345”. I can now guess that they’re probably using that specific hash algorithm, and can immediately crack a bunch of passwords purely because I have already brute-forced them before I hacked anything. I can also crack the rest of the passwords much faster, because I’m only needing to brute force the one algorithm I know they used, instead of being forced to hash with all of them.

But now let’s say it’s a salted hash instead. When I hack the database, my pre-generated rainbow tables are useless. Because now “password” is not being hashed as “12345”. It’s being hashed as something entirely different, because the salt is added before it gets hashed. Even if multiple users use “password”, it still doesn’t help me because each of their salts is unique. So even if two different users use “password”, they’ll each return different hashes. So I need to recreate my rainbow table for every single user. Even if two users both used “password” I’ll still need to check each one individually, with their unique salts.

This doesn’t completely invalidate the breach, but it drastically slows down my ability to access individual accounts. The goal is simply to slow me down long enough for the company to be able to send out “hey, change your password” notifications, and for the users to do so. Without a salt, once I have the database, I instantly know which hash the company is using. And I can immediately access a bunch of accounts using my pre-generated rainbow table. But with the salt, I’m still forced to crack each user individually.

To be clear, weak passwords will still crack faster. A good password guessing attack doesn’t just brute force. It starts with known lists of common/popular/weak passwords, because that known list of weak passwords will often get you into an account extremely quickly.

the salt does not need to be encrypted. the point of it is that it makes a generic rainbow table useless, because the crackers need to compute hashes themselves for all passwords.

as they said, the purpose of hashing is to slow down the crackers, because they need to find the string that produces that hash. a rainbow table cancels that, it makes password lookup for an account almost instantaneous. but a rainbow table is only really useful for unsalted hashes, because for salted hashes a different rainbow table is needed that takes the salt into account.

If the hash is unique per person, hackers need to build a new table per person. It doesn’t matter if the hackers can get their hand on the salt; the point is that they cannot try the common passwords easily for all users; it takes N times as long where N is the number of users with a different salt (hopefully all of them)

I’m not entirely sure what you mean but my password manager alerts when the hash of one of my passwords matches one from a dark web data dump, and prompts me to replace it with a newly generated one.

I’m sure it’s not a unique feature

Admittedly I do have a few bad password, a combination of I don’t see how I could care (like a Reddit alt account) and sites that break the password change automation (yeah I’m lazy)

You missed the part about pepper. Pepper is something that’s added, like salt, but that isn’t stored with the password. A low security version of this is an environment variable, but it could also be a secure hardware device on the machine.

So it’s more like this:

• “p@ssword” + “hakf” + “pepper” -> “hifbskjf”
• “p@ssword” + “jkjh” + “pepper” -> “gaidjshj”

If an attacker only has the salt, they’ll “crack” the password into something that’s not the original password: brute_force("higbskjf", "hakf") - > "kdrnskk". The idea is that it might take a few days for the attacker to recognize the error, and by then the security team has already responded and locked the backdoor.

Even if the passwords are peppered, users should assume their password is compromised and change them. But peppering may prevent a cascade effect from reused passwords.

That’s all you can do though, extend the time it takes to brute force, so I’m not sure what the distinction being made is.

But if you can solve the hash by generating password guesses, hashing them, and comparing them to the hashed passwords in the database. Say I hash “p@ssword” and I use the salts sorted in the stolen database. I find that jon@example.com uses “p@ssword”. I then go to Amazon.com, login with Jon’s account, and order a bunch of stuff to my address.

Salt just makes it so I can’t hash “p@ssword” once and find everyone with that password the database. Instead I have to hash “p@ssword” multiple times. It really only slows me down.

I’m not a security expert, can someone tell me if I got that right?

They also say

meaning they cannot be read by a third party

which equally isn’t true.

If your password is guessable with trillions of attempts, and whatever information and time an attacker wants, then of course can they crack your hash, “read” your password, and try it on other services.

Sadly the kind of password susceptible to being broken on account of not being strong enough is also the kind people use everywhere because they memorize it. A truly strong password will only be found in a password manager.

If the password is securely hashed, and the attack only includes data exfiltration, then there’s theoretically no risk of breaking into users’ accounts anyways. However, the issue is that if somebody can log into your Plex account, that means they got your password somehow - and if they did get that password, they can use it elsewhere. So if there’s any reason to change your password on Plex, then there’s just as much reason to change that same password elsewhere.

Yeah, even if it is the law, companies do tend to fall short of adhering to said law. For example, a lab that does cancer screening got hacked and pretty much messed up their entire response.

Well, if it said “The attacker gained access to systems in October 2023 and we patched out the vulnerability during March 2025,” you’d be asking why it took so long to discover the intrusion and why they didn’t let us know for six months?

fuck plex for plenty of other reasons, but you can disable authentication on your local network.

If you just changed your password and now you don’t have access… Directly connect to the server http://<serverip>:32400/web and you’ll get the setup prompt to connect it back to your account.

If that doesn’t work you can restart the server and try again (should catch up that it’s unauth’d). Or run a tool like https://github.com/ChuckPa/UserCredentialReset to reset it so you can reauth it.

Which is the exact mindset that enables Jellyfin devs to not fix those issues, congratulations

But they are responsible for the unsecured / gruyere cheese product they ship.

Jellyfinn has a lot of holes and it is easy to deploy it in a insecure way by not techie people. Last time I checked they even didn’t have a recommended practices for hardening it

???

This is not about enshitification. The best user friendly app can be a security nightmare and an utterly crap can be rock solid.

It is not about that, not even development models or just rock star programmers.

It is about who has a performing security team and who doesn’t.

Good to read you know how to implement some protection layers around your jellyfinn :)

But most of the people (specially the plex ones) don’t have the technical background to deploy something like you have, and convince those people to do the switch without knowing how to protect themselves is not a wise thing to do. Specially when this time, plex response was perfectly fine :)

Other software may be insecure like that but you would only know after an incident happens because you cannot audit the source code.

You don’t need to audit the source code to find vulnerabilities in endpoints. You need source code to know exactly why it’s vulnerable. Plex is constantly being tested by jackasses like me who try random shit. Hell we just got a forced patch for plex that they rolled out this month. https://forums.plex.tv/t/plex-media-server-security-update/928341

Yup, and that’s why I still use it despite its security issues. I run it in a rootless container, so even if there’s some sort of breach, it should be contained.

you can just make your case and see what happens first.

Oh… You mean like half dozen or so times that I’ve already brought this up over the past 2 years on lemmy, and a while before that on Reddit? It’s only after I write a whole book on the matter that the upvotes kick in. And these discussions ALWAYS end up with much higher downvote ratios than most of the other stuff I comment on. Up to and including getting called names like “shill”.

Example of the last time this was brought up that I participated in… https://slrpnk.net/comment/15703455 (which got mod removed it seems… it’s still accessible to me on my server at https://lemmy.saik0.com/post/1622830) which was the “news” of a plex staff member leaving a comment for the plex app on the Google Play store…

Or this time… Where we were all complaining about the app redesign (which I also hate) https://lemmy.saik0.com/post/1517257… The root comment was lemm.ee though… which is gone. My comment starts at https://lemmy.saik0.com/comment/4476520.

I’ve discussed the matter ad nauseum… and more often than not it’s received pretty poorly. It’s not a cop out or “bitch-ass pre complaint” when I have the history to point at.

Edit: Oh and here too… https://beehaw.org/post/19228632

Don’t expose Jellyfin and you don’t have a competitor program that does what Plex does… stop recommending it as a replacement if it’s not a replacement. And this is ignoring that it’s recommended to expose to the internet on their own documents.

But you are forced to make a Plex account, if you want to use it.

You’ve missed the point. You can’t be mad at plex for taking action and closing security gaps after becoming aware of them… then in the same breath recommend a service that can’t even be on the internet because it’s so poorly secured.

So how are they hacking you? I mean I don’t see those issues as really bad. Should it be fixed yes can anyone really do anything bit that I can see. Am I missing something.

Complete access to your media without authentication isn’t “don’t give you any data”.

Meanwhile you’re all frothing at the mouth cause Plex leaked email addresses and encrypted passwords.

And you’re correct. It’s not a breach… because it wasn’t protected to begin with.

Edit: You ninja edited your post… bad nettiquette.

put the endpoints behind your own authentication through your reverse proxy.

Breaks every app for jellyfin including tv apps. So no. that’s not a valid answer.

Edit2: And I want to be clear about this… I don’t simp for Plex I want off of the platform too… But Jellyfin in it’s current state is a much worse security nightmare IMO. I can at least kill the plex relay binary and packet sniff it to know that it’s not sharing data I don’t want it to share. Jellyfin just lets everyone in that can guess a filepath (which you can “fix” by obfuscating it… but ask any security professional about that.) and somehow Jellyfin is the messiah? Devs ignoring a 5+ year old issue that already proof-of-concepted… is wild.