A cyberattack that enables cybercriminals to gain illegal access to a computer system or network and steal the private, delicate, or confidential personal and financial information of the clients or users contained therein results in a data breach. Today, Plex, a well-known home media server programme, disclosed a data breach compromising some of its users’ private information. In order to inform people of what has happened and what they should do next, the company has been sending out emails.

Thankfully, none of the cardholder data got compromised. However, the malicious parties have access to their data, including encrypted passwords, usernames, and email addresses.

Here’s the information shared by Plex with their customers.

Your Plex accounts information was involved in an incident on 2022-08-22, and we want you to be aware of it.

Even while we think this incident won’t have much of an actual impact, we want to ensure you have the knowledge and resources you need to keep your account secure.

What happened

We found suspicious behavior on one of our databases on Monday (2022-08-22). We started looking into it right away, and it does seem that a small subset of data, including emails, usernames, and encrypted passwords, was accessible by a third party.

Plex is forcing all accounts to change their passwords even though all account passwords accessed were hashed (with brcypt plus salted and peppered) and safeguarded in accordance with best standards.

Please do not save your credit card or any other payment information on our systems, to avoid its exposure in this incident.

What we’re doing

We have rectified how a third party entered the system and are conducting additional checks to toughen the security of our systems to thwart intrusions in the future.

Even though Plex uses the best standards to safeguard the account passwords, all Plex must change their passwords.

What you can do

To cut a long tale short, we politely ask that you promptly reset your Plex account password.

There is a checkbox to “Sign out linked devices after password change” when doing this.

Additionally, you will need to login in again using your new password on all of your devices. (including any Plex Media Servers you may own).

This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password here.

We’d also like to remind you that no one at Plex will ask for a password or credit card number.

For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.

Finally, we want to express our heartfelt regrets for any inconvenience this incident may have caused you.

We take great pride in our security system and want to reassure you that we are doing all in our power to promptly address this issue. And stop similar ones from happening in the future.

We at Plex are well aware that outsiders will continue to try to hack into IT systems all around the world, therefore you can be sure we won’t ever get complacent in fortifying our security and defenses.

For step-by-step instructions on how to reset your password, visit: https://support.plex.tv/articles/account-requires-password-reset/

Common Issues

Some common issues that have come up:

  • You must first change or reset the password before proceeding with the account modification. If you want to terminate your Plex account or make other significant account changes, including changing the email address.
  • You can manually change your password through your Account page. If you are still logged in to the web browser app but are having difficulties receiving the reset email. (https://app.plex.tv/desktop/#!/settings/account) directly.
  • In cases where you get a “not authorized” or similar error when trying to access your Plex Media Server, you likely need to (re)claim/sign in to the server. Info on claiming a server can be found here as well as troubleshooting for claiming here.