I am glad they were hashed, but that's a misleading statement. The point of hashing is to slow an attacker down, even with full best security practices (e.g. salt + pepper + argon2 w/high factors) they can still be reverse engineered. It is a matter of when, not if.
I'll pay you $10k if you can crack this sha512 hash.
I'd offer a million, but I don't have that kind of money.
5a55b7b0e1f9452f925b1aa43cf148081da58c66c735961d9a7cb699b2fd5b08bee6b24ec47fce0b93ba49df83641a30c7843dece49e0a0db5a7c50901492fdd
It's technically true that all cryptography is just slowing things down, but we are talking about heat death of the universe lengths of time for most crypto algorithms.
*assuming quantum computing doesn't take off or a fundamental flaw isn't found in the crypto.
It isn't academic either. I have broken tons of cryptographic hashes in my career. Most of my colleagues have too. From DES through bcrypt over tens of years. The cost/performance has slowed, but the techniques haven't changed one bit because PEOPLE haven't changed one bit.
Obviously nobody can crack a sha512 hash likely containing a randomly generated cryptographic number. But that's irrelevant, because we're discussing the Plex security incident where humans created passwords, and humans today, tomorrow, and ten years ago are just as incapable of creating good passwords.
So their claim that these hashes "cannot be read" is inaccurate. If you have a modest budget and want to target a handful of accounts, there are multiple CHEAP cloud services that will happily sell you compute to do so.
You should be using the solutions readily available instead of trying to reinventing the wheel, or avoid this subject altogether if you can't be bothered to educate yourself as to why.
This has been a decades-long issue, and it blows my mind how people in IT still didn't get the memo.
Use argon2, scrypt or even bcrypt who all are designed for keeping passwords secure with regards to brute force cracking.