Low-level hackers are trading a database of user information stolen from Pluto TV, a popular American internet television service. But Pluto TV has decided not to proactively inform users of the breach.
The move is somewhat unusual in a space where companies increasingly inform their customers of data breaches, even regarding breaches that do not include passwords themselves, but other information such as email addresses.
"I have received password reset requests about it," one Pluto TV user, who has not received any communication from the company despite contacting Pluto TV, told Motherboard. Motherboard granted the user anonymity so as to avoid bringing more attention to their potentially breached data in particular. The user said they reviewed the breached data and that it includes their email address.
Do you know about any unreported data breaches? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Pluto TV, which is free to use and is advertiser-driven, has 28.4 million users, according to Variety. Its Android app has been downloaded over 10 million times, according to the app's Google Play Store page.
The data breach itself impacts an alleged 3.2 million Pluto TV accounts, Bleeping Computer reported in mid-November. A sample shared by a data trader on a low level hacking forum contains display names, email addresses, date of birth, device platform, IP address, and hashed password. The passwords are hashed with the robust bcrypt algorithm, meaning that hackers are generally unlikely to be able to crack them and obtain users' actual passwords. The data appears to be two years old, the report added.
Bleeping Computer said it verified that all the email addresses shared in a sample of the data do belong to Pluto TV members. Motherboard also identified the forum where low level hackers are trading the data and viewed the Pluto TV data sample.
But on Thursday, Pluto TV told Motherboard it was only communicating about the breach with users who have reached out to the company.
"While this matter remains under investigation, no new or additional information has been presented that differs from what’s been reported to-date. As we continue to investigate this matter, we are communicating with users who have reached out to us directly to address any questions or concerns," Pluto TV's statement read.
"I sent a DM to the company about two days ago to no response. No emails. In fact the last email from them I saw from them was from April."
The company elaborated to Motherboard that due to what it described as the limited data exposed, such as the breach not including plain text passwords and only hashes, that it has decided not to inform users writ large, and instead only respond to those who have contacted the company.
It appears unlikely that users behind all of the 3.2 million accounts are aware of the data breach, so it is not clear how many impacted users would reach out to the company in the first place.
Troy Hunt, maintainer of breach notification service Have I Been Pwned?, told Motherboard in an online chat that Pluto TV’s "reasoning is completely nonsensical and inconsistent with people’s expectations. The exposure of an email address alone should result in notifications being sent, but passwords as well—even if hashed with bcrypt which can still be cracked, especially for weak passwords—should absolutely require notifications to be sent."
Other companies, small and large, regularly and proactively disclose data breaches to all of their impacted users. Many of those breaches contain the same sort of data as the Pluto TV breach, including hashed passwords, and sometimes passwords hashed with the bcrypt algorithm too.
Even some of those who contacted Pluto TV have not yet received a response, though.
"I sent a DM to the company about two days ago to no response. No emails. In fact the last email from them I saw from them was from April," the Pluto TV user told Motherboard.
Update: This piece has been updated to include comment from Troy Hunt.