Cyber Incident Victim: Pluto TV
Date:
Oct 2018
Location:
United States of America
Summary
A hacker group leaked approximately 3.2 million user records from an internet television service, attributing the breach to the threat actor ShinyHunters. The stolen data included display names, email addresses, bcrypt-hashed passwords, birthdates, device information, and IP addresses, with samples confirming legitimate user information. While the victim acknowledged investigating the incident, external validation confirmed the authenticity of exposed credentials, indicating unauthorized access to customer accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Pluto TV data breach incident involved the unauthorized access and public release of user account information attributed to the threat actor known as ShinyHunters. On or around October 12, 2018, a database containing approximately 3.2 million Pluto TV user records was compromised, though the breach remained undisclosed until November 2020 when the stolen data appeared on a hacker forum. The exposed records included members' display names, email addresses, bcrypt hashed passwords, birthdays, device platform information, and IP addresses. Forensic analysis of the leaked samples indicated the data was approximately two years old at the time of disclosure, with the most recent records dating to October 2018. Security researchers at BleepingComputer verified the authenticity of email addresses within the sample dataset, confirming they belonged to valid Pluto TV accounts. The breach occurred amidst a series of cyber intrusions attributed to ShinyHunters, who had recently resurfaced after a period of inactivity and claimed responsibility for multiple high-profile data thefts including Animal Jam, 123RF, and Microsoft's private GitHub repository.
Pluto TV, an internet television service with over 28 million registered users and 10 million mobile app installations at the time, acknowledged awareness of the claims but did not formally confirm the breach's occurrence in its initial statement. The company stated it was actively investigating the matter while emphasizing that any potential compromise of user security would be treated with the highest priority. Independent verification established that legitimate user information had been exposed, prompting security advisories for affected individuals. The bcrypt hashing of passwords provided some protection against immediate credential misuse, though the exposure of personal identifiers and historical authentication data created potential risks for credential stuffing attacks and targeted phishing campaigns. No evidence suggested unauthorized access to Pluto TV's streaming platform itself following the data disclosure. Users were advised to change their Pluto TV passwords as a precautionary measure, particularly if they had reused credentials across multiple online services. The incident highlighted persistent challenges in detecting historical breaches and securing large-scale user databases against sophisticated threat actors.