Security company begins warning Pluto TV customers of breach

More than 3 million passwords were dumped on the dark web, researchers say.
The logo of Pluto TV appears superimposed over a generic cybersecurity background.
(Logo: ViacomCBS, Graphic designed by The Desk)

A prominent security company began notifying customers this weekend of a breach affecting millions of e-mail addresses, IP addresses and passwords stored by streaming TV service Pluto TV.

On Saturday, customers of the Firefox Monitor service received messages alerting them of an email and password dump following a compromise of streaming service Pluto TV’s systems. The account information was  released by a hacking group in early November.

The leaked list contains around 3 million e-mail addresses, IP addresses and passwords, with the latter being encoded using a security technique known as “hashing” that rendered them largely inaccessible to hackers and others.

The user information relates to an earlier version of Pluto TV that allowed customers to set up a password-protected account in order to store and sync a list of favorite channels. The feature pre-dated Pluto TV’s eventual acquisition by media giant Viacom in early 2019. (Viacom merged with CBS to become ViacomCBS later that year).

Pluto TV’s current incarnation does not allow for users to create accounts, and the most-recent account information in the password dump appeared to be from late 2018.

A Pluto TV spokesperson did not return a request for comment in mid-November when the user information was leaked online, but a source familiar with matters told The Desk that the company was treating the incident as a legitimate compromise of user information.

The information was added to the Firefox Monitoring database on Saturday,  and notifications went out to customers of Firefox’s security service that same day.

“Firefox Monitor warns you about data breaches involving your personal info,” the warning message read. “We just received details about another company’s data breach.”

A Firefox Monitor support webpage told users to “take steps to protect yourself,” even if they didn’t remember creating an account with Pluto TV or felt the credentials were too old to be worried about them.

“If you haven’t changed your password on the affected account yet, do that right away,” the support webpage said. “If you use that password elsewhere, you should change those too — otherwise hackers can use your login details on other websites.”

People who think their customer information may have been compromised in the Pluto TV breach can check their e-mail addresses for free via Firefox Monitor by clicking or tapping here.

Thanks for reading and supporting The Desk. If you have a question, comment or news tip, send a message by email or text, or connect on Facebook, Twitter or LinkedIn.

Also, check out our new membership service The Desk: Pro Access for exclusive reporting, news scoops and in-depth analysis.