Dear Plex User,<p>We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.<p>What happened<p>Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.<p>What we're doing<p>We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.<p>What you can do<p>Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password [here](https://support.plex.tv/articles/account-requires-password-reset/?utm_source=Plex&utm_medium=email&utm_content=reset_password&utm_campaign=sql_db_password_reset).<p>We'd also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling [two-factor authentication](https://support.plex.tv/articles/two-factor-authentication/?utm_source=Plex&utm_medium=email&utm_content=reset_password&utm_campaign=sql_db_password_reset) on your Plex account if you haven't already done so.<p>Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses.<p>For step-by-step instructions on how to reset your password, visit: https://support.plex.tv/articles/account-requires-password-reset
Thank you,<p>The Plex Security Team
If true, then this will probably reignite discussions around Plex requiring that you authenticate with their servers when using the service to view content that you're hosting on your own hardware.<p>If anyone is curious, then alternatives like Jellyfin exist. It's a bit different and may not have all the features you need, but it works quite well in my experience.
I like that they're up front about this. Solved the problem in a couple of minutes.<p>I use a password manager with a very long randomly generated password for everything, so a hashed password leaking is essentially meaningless to me. Notifying me immediately so that I can change it ASAP is what matters.<p>The burner e-mail I use for stuff like this is listed in 25 other data breeches, too. I don't really care. Plex is amazing software.<p>I don't really understand the freak outs here.
This disclosure is no where to be found on their website or blog, and it provides no timeline, no details about the attack, and no details about what data was accessible beyond "a limited subset of data that <i>includes</i> emails, usernames, and encrypted passwords". Very very frustrating.<p>As of Aug 23 11:24PM PST, Password change page is sort of working, at times displaying error message "Internal Server Error. Something went wrong on our end". I was able to get my request through. Shortly after, a server instance started showing unclaimed status and reassociating it resulted in "Plex is down for maintenance \ Don't worry, it will be back soon \ status.plex.tv".
And now the sender sending the "reset password" email is blacklisted by spamcop, I presume because they are sending so many emails from a server that normally doesn't much. They are not having a good day.<p><a href="http://www.spamcop.net/w3m?action=checkblock&ip=192.254.122.79" rel="nofollow">http://www.spamcop.net/w3m?action=checkblock&ip=192.254.122....</a>
I have a feeling that this breach is older than what they're letting on.<p>On July 27th, I received ~7 emails, about 10 minutes apart, warning me of a new device logging in my Plex account. It didn't correlate with any activity on my part, and the IPs were all over the place (for context I'm in France). Here is some of the IPs that were used :<p><pre><code> - 191.101.41.35 (US)
- 185.199.103.40 (US)
- 103.43.200.58 (India)
- 2001:16a2:def3:200:40cf:530f:ff72:1747 (Saudi Arabia)
</code></pre>
Fortunately the password is only used on Plex, and I just generated a new one and signed out my devices, and that was it.
I personally wish companies would encrypt email addresses in their database, this would at least help against SQL injection attacks and some others (e.g. attacker has only DB system access and not app server access), so it's more difficult for attackers to aggregate data on me. To me it feels very casual waving away the leak of email addresses and just give the usual "passwords were encrypted". But YMMV.
Thanks for sharing this. I got the email, but found it here first. They let us know pretty fast, and gave clear instructions on how to secure our accounts moving forward. That can't be said for all companies that we trust with our info.<p>It sounds like payment data was stored in a separate database that had a different set of credentials (for this I am grateful).<p>Thanks to The Plex Security Team for providing details quickly.
I'm a long time Plex user, and I have not received this email. Not sure if I should be worried or if the breach has just affected a subset of users.
I use random unique passwords for everything anyway, as long as no credit card
details were taken it shouldn't be a big deal hopefully.
I was able to log into the site now and no message was displayed at all.<p>Edit: Not sure why I would be getting down-voted for this.
Security breaches are a big deal, but if the only result of this for the users is that we need to change our passwords that's a fairly good outcome, no? :-) The biggest hurdle ahead for Plex is to figure out exactly what these attackers did, if they were directly targeted and for how long they were in their network. A lot of the times a incident is discovered it's discovered a long time after the first breach (based on my own personal experience)
Ugh, I feel like this is being a regular thing I need to look at with Plex...<p>Has anyone tried any alternatives that have a decent Apple TV client?<p>I have tried looking a couple times over the last couple years and that is always my blocking point.<p>Ideally not a third party one, I know Jellyfin has a third party option but it always seems to have issues on my library and needs to update its cache (or something) and my experience with it was not great. Kodi seems like it might have one, but it isn't available through the App Store.<p>Bonus if it can somehow import my watch history (but not required, that is a minor issue).<p>As much as I hate Plex and all of the unnecessary features they keep adding, they seem to be the only one with a decent client.
I noticed last week that my plex server was using a lot of CPU when I was not watching plex. Since I almost never use it, I just killed the server process thinking that it was running amok because of some bug.<p>It all became clear when I got this email last night. I was suspicious, but now I'm pretty certain that my account was exploited, and my local media was being streamed by a 3rd party.
Ugh, checking that box signed out my server and I've yet to figure out how to sign the thing back in.<p>EDIT: Figured it out. Need to access the server from the same network (or tunnel to it). You won't see server settings from external network.
It's funny that everyone here is expecting airtight security practices, proper vulnerability disclosure and general trustworthiness from an app that's a tiny step above the likes of BitTorrent and PopcornTime.
Ouch, this sounds very similar to the breach that happened to Plex in 2015. [1]<p>1: <a href="https://news.ycombinator.com/item?id=9817160" rel="nofollow">https://news.ycombinator.com/item?id=9817160</a>
Forgot my password doesn't work nor the settings screen password change.
If you gonna ask all your users to reset passwords you might want to actually scale up to allow them to do that
RoboForm Password Manager is being offered free (1/yr) due to plex breech!
Here is the url with instructions: <a href="https://www.roboform.com/promo/plex" rel="nofollow">https://www.roboform.com/promo/plex</a>
Funny. I got the e-mail about the data breach (which I was actually surprised to get, as I had a local-only version of Plex running on my Desktop computer a while ago), but I am not getting the "reset password" emails... not even in spam :).
RoboForm Password Manager is being offered free (1/yr) due to plex breech! (expires 8/28)
<a href="https://www.roboform.com/promo/plex" rel="nofollow">https://www.roboform.com/promo/plex</a>
OT but have others found the Plex Mobile UI completely baffling when it comes to understanding how to download, sync and then delete content that has been synced to that device? I get lost trying to do so every time.
Thank you for reminding me that I need to delete my account with you. Now if you could only keep your service up and running long enough for me to change my password so I can log in and remove my account.
I wonder if "<i>we discovered suspicious activity on one of our databases</i>" == SQL injection?<p>I've been through this exercise before with one of my businesses, and I disclosed what/where the injection was and what our mediation was for the problem.<p>I don't understand the outrage though from this community. I don't think there is a large web business today that hasn't been through an SQL injection compromise. Even the largest platforms in the world like Facebook, etc have had an issue like this crop up.
Is it safe to reset the password when there is so much instability with server errors and so on? Do we know that the door has been closed on the intrusion and the hack patched? Right now it feels like I'd be replacing a lost and known insecure password from ages ago for a service I no longer use with a secure one only to have it stolen again.<p>A delete account option would be nice in this case. I'd rather just have my data deleted even if it has already been compromised just to tie off this loose end.
…and now Plex.tv/link is down, so none of my media players can sign back in.<p>I hope that Plex learns from this and implements LAN-only logins (or LAN-only access) again.
Yay. So I used the "Change Password" stuff and to sign out connected devices and now I seem to have lost access to my local server.<p>I'm guessing it's because of load on their stuff, but it's quite a pain in the butt when I usually use Plex to listen to (my local, legally ripped) music while working.
> we want to ensure you have the right information and tools to keep your account secure<p>Which is of course, a bold-faced lie, otherwise they would never have forced users to open Plex accounts, or removed the ability to conduct authentication locally.
RoboForm Password Manager is being offered free (1/yr) due to plex breech! (expires 8/28)<p><a href="https://www.roboform.com/promo/plex" rel="nofollow">https://www.roboform.com/promo/plex</a>
Like clockwork. I just joined recently and of course they have a breach. I knew I should've stayed away when they required an account for you to view your own media. Does Jellyfin let you get past this security issue?
I'm interested to know more around how a third-party was able to access the data with for others to learn and provide use-cases to increase security controls in areas where there may be deficiencies.
I received this email at 10:42pm PST.<p>At the time, I could not find the disclosure on their website.<p>I'm glad they disclosed shortly after discovery, but not publishing it on their site is an odd choice.
I just learned that in 2021, Plex was acquired by Rockwell Automation. Had no idea that had happened. That seems like an odd company for them to acquire.