Plex: Potential Data Breach, Password resetting required

[V_R]

Anyone else get the email this morning?

Dear Plex User,
We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.

What happened
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

What we're doing
We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.

What you can do
Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password here.

 

[Semple]

Just found it in my email.

Doesn't bother me, I'll just spin up another random password for the account.

 

[Kainz]

Got it an hour ago too. I’ll have to do the change later as I’m heading to work.

 

[Gregvivi0401]

Got one as well this morning.

 

[uvarvu]

I received this as well. It's times like this when I'm relieved I use a password manager.

 

[alexakasloth]

Just received this email as well.

 

[Kesomir]

Yup fortunately was a random password, have reset.

 

[krooton]

Weird, no email for me, checked everywhere.

 

[Rainmaker]

I got the email at 7.02 and requested a password reset immediately (though I had a unique password and 2fa anyway). First the email didn't arrive, then the code was invalid, then the reset hung and the page didn't update, then it turned out they'd reset it anyway, but the apps/site wouldn't sign in because their server overloaded, then it signed in and let me adopt the server again... but logged me out and their server died again... Finally sorted it a while later. Jokes. Some people on Reddit raised the interesting question of what exactly was breached/accessed? Plex collect a lot of data. Media library contents? Play stats? They also worded the email ambiguously. Passwords were hashed and encrypted? Really? Do they mean salted (they *were* salted, right??)... Questions need answering lol.

 

[Jonny2284]

Got it this morning.

As above, it's 2fa and a unique, random password so it's no loss to change it but still brings up some questions of the why and how.

 

[casper_uk]

I prefer Jellyfin to Plex. I recommened people trying it out if they are fed up, or don't want to pay for a Plex pass etc. No central account to be stolen either!

 

[Rainmaker]

When I reset the password on the account, I kicked off all existing devices so everyone had to sign in again. I also went into my Authorized Devices menu, and saw that actually despite saying they'd cleared it, users going back months were listed. I manually removed them all, and lo and behold - the kids can still open Plex and click their user and sign in with no authorisation or challenge. Something's still seriously borked at Plex's end.

 

[smokedog]

Went in and wanted to delete my account but the delete button doesn't work, it gives you password reset options instead.

 

[something daft already!!]

Had it, changed password. No drama.

 

[Rainmaker]

I 'fixed' (read: worked around) the phantom users issue. It seems managed users are allocated a session token rather than relying on your credentials, once you've signed them in on your account initially. They could (and can) browse the libraries and stream unabated, but as soon as I hit the user switcher to my main account, it pops up saying credentials expired - please log in again. Sorted, but not ideal - these auth tokens should all have been killed at source when the breach was discovered.

 

[krooton]

Ah, I use facebook as my login, so I guess no password to actually change.

 

[Rainmaker]

Ah, I use facebook as my login, so I guess no password to actually change.

Euw.

 

[glenimp617]

Surely the passwords were encrypted?

 

[kitkat9933]

Surely the passwords were encrypted?

Let’s hope not. They should be hashed with salt and pepper on top.

 

[V_R]

Surely the passwords were encrypted?

What happened
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.