Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Security

Plex Breach Exposes Usernames, Emails and Encrypted Passwords (theverge.com) 43

Streaming media platform Plex sent out an email to its customers earlier today notifying them of a security breach that may have compromised account information, including usernames, email addresses, and passwords. Although there is no sign that the encrypted passwords were exposed, Plex nevertheless is advising all users to change their passwords immediately. From a report: Plex is one of the largest media server apps available, used by around 20 million people to stream video, audio, and photos they upload themselves in addition to an increasing variety of content the service provides to paid subscribers. The email states, "yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords." There is no confirmation that other personal account information has been compromised, and there's no mention of private media libraries (which may or may not include pirated content, private nudes, and other sensitive content) having been accessed in the breach.
This discussion has been archived. No new comments can be posted.

Plex Breach Exposes Usernames, Emails and Encrypted Passwords

Comments Filter:
  • Self hosted software that you pay for? with a subscription? Definitely not a bad idea
    • I prefer Jellyfin. That has been working well for me so far.
      • I'd switch if Roku, PS5, or Visio had clients.

      • by Kokuyo ( 549451 )

        Better than Plex and Emby for various and differing reasons.

        I just wish it had more options... like telling the web client to cache the whole stream when you're driving through spotty reception.

      • Last time I needed something like Plex the purpose was to stream media to my Xbox 360 (which I have long since sold, I sold all my console stuff to a shop at once and got decent money for it.) And then I found PS3MediaServer which did that job just fine.

        I always thought Kodi had some kind of shared media library backend that was merely very difficult to get working, but now when I look for information on it I just find instructions on using emby or mezzmo. This is dumb AF. Kodi has all these many functions

      • ^ Thanks for the tip. I've been wanting something to replace Plex for years.
        • Your welcome
          There is also Emby [emby.media], but that looks like it is going to try to move to a similar model as Plex. Or at least those were the rumors I heard. They could've been baseless.
          Jellyfin [jellyfin.org] handles what I want it to do just fine. So I stuck with it.

          Linkage for the people
      • by msk ( 6205 )

        Does Jellyfin display captions in Matroska containers? The Roku Media Player does not.

      • Jellyfin is nice, agreed. I've been looking for decent Plex replacements for a few months now...

        However, I was so impressed with Infuse 7 that I paid for a yearly subscription. It works very well, has a decent enough interface, and I don't have to manage a server software to accommodate sharing my media, other than setting up one-time SMB shares (with a user/password).

      • Comment removed based on user account deletion
    • by aitikin ( 909209 ) on Wednesday August 24, 2022 @09:44AM (#62817583)

      Self hosted software that you pay for? with a subscription? Definitely not a bad idea

      Can my semi-technologically illiterate friends understand how to route to my server and get to the media I intend to share with them via VLC or similar? Definitely not. Plex is, and has been, a relatively simple system that passes the, "Could my 75 year old mother use this without calling me after it's setup?" test.

      Additionally, I don't want to have to jump through the hoops of routing VLC when I'm not within my own network, don't want to navigate multiple, vastly different UIs to do DNLA on differing platforms.

      I changed my password, but none of my critical information is associated with the account. I got their paid service lifetime membership about a decade ago, so all the credit info and everything is out of date. The only thing someone would've gotten for me is a throw-away email address that I use for things like this, and a password that I don't care about.

      • by Pascoea ( 968200 )

        Plex is, and has been, a relatively simple system that passes the, "Could my 75 year old mother use this without calling me after it's setup?" test.

        This right here is Plex's claim to fame. Back when XBMC required a hacked Xbox, and Plex was in its infancy as well, Plex was dead simple to install/use, and it just worked. I screwed around for quite a while to get XBMC to work, gave up and install Plex and haven't looked back.

      • Yep... as a long time Plex user, I have to agree. The Plex "player/viewer" application is included or downloadable for free for most set-top TV boxes and smart TVs these days, which is a pretty big deal if you want your hosted content to be easy for the average user to enjoy.

        My biggest "ease of use" gripe is the somewhat recent redesign of the menus in the Plex client (the one you'd install as the app for Windows or on iOS or Android). The default is to give you menus on the left-hand side of all the stream

        • by Anonymous Coward

          G'Day,
          You do realise you can pin any menu item from a server and put it on your home screen.
          Just use the left arrow on your controller when a menu item is selected and select the 3 dots and then select pin.
          HTH

          • by aitikin ( 909209 )

            Holy shit, a useful post by an AC!

            I literally came here to point out that you can unpin their stuff and pin your own for King_TJ's benefit.

            • by King_TJ ( 85913 )

              Except actually, I'm aware of the ability to pin menu items, and make use of that already.

              Even with pinning them, you can't make them show as the main/top listed menu options though, which is what I want.

    • Self hosted software that you pay for? with a subscription? Definitely not a bad idea

      To be fair, the Plex media server and most clients (except the phone ones) are all free. Subscription gets you DVR support and some bonus features like HDR, lyrics for music, etc.

      • Subscription gets you DVR support and some bonus features like HDR, lyrics for music, etc.

        For me, the biggest benefit is hardware transcoding support. But similar to the other poster somewhere above, I paid for a $100 lifetime subscription years ago and haven't looked back.

        For what its worth, I run Plex and Jellyfin side-by-side, and while I love that Jellyfin is opensource, it definitely lags behind Plex in both functionality, usability, and stability. I'm hoping they close the gap someday!

  • I change my email every time there is a breach like that, because the old email address end-up being spammed.

    So first time I used whateverservice@whateverdomain.tld. With plex I was at myplex2@whateverdomain.tld. Now time to move to myplex3@whateverdomain.tld.

    Hopefully there won't be a 4 anytime soon.

  • I noticed today as I was changing my pw that they now offer 2FA. Maybe that's old news but I'm just discovering it...
  • by aerogems ( 339274 ) on Wednesday August 24, 2022 @10:16AM (#62817705)

    Password HASHES, not encrypted passwords.

    Still not good, but not quite as bad.

    • Depends how they made those hashes. https://en.wikipedia.org/wiki/... [wikipedia.org]
      • They mention "best practices" so I'm assuming (read: hoping) they mean something like a salted SHA256. Either way, this is a good lesson to use unique passwords for different services that are rotated somewhat frequently.
    • The text seems vague, but I am going to assume that "encrypted passwords" would be a salt that is encrypted with someone's password, a la bcrypt. Hashing the password via SHA is a lot less secure as it makes it far easier to do brute force attacks.

      Of course, the best way is having bcrypt, plus something like a "pepper" which is XOR-ed with the salt, and stored/used in some secure spot. That way, if someone dumped the disk, no matter what they tried, the passwords would not has to anything meaningful. Age

  • by PPH ( 736903 ) on Wednesday August 24, 2022 @10:57AM (#62817899)

    ... very few services I use have anything more than a throw-away email address and a fake name for me.

    - Charles U. Farley ("Chuck" to my good friends)

  • Siber Systems a software company located in fairfax Virginia is giving away RoboForm Password Manager free for plex users: https://www.roboform.com/promo... [roboform.com]
  • How is that fancy cloud service/app working out now? Kinda hazy?
    • How is that fancy cloud service/app working out now? Kinda hazy?

      That fancy on-prem app is working out just fine, thank you.

    • You mean that containerized media server I have running on a Linux box in a closet, using hardware transcoding to play back multiple 4k streams simultaneously with less than 10% CPU utilization? Works great, thanks for asking.

      As far as password changes go, this one took me about 10 seconds to actively log out literally every device using the old password, and about 5 seconds per device to get it linked back with new credentials by using https://plex.tv/link [plex.tv] and entering a 4-letter code. If anything, this

      • What hardware (CPU/GPU mainly) are you running to have multiple 4K streams at 10% utilization? I'm concerned about heat and power usage, so I go for low-mid end AMD CPUs with no graphics card.
        • CPU: AMD Ryzen Threadripper 1900X 8-Core Processor
          GPU: NVIDIA GeForce GTX 1060 6GB

          As you can see, not exactly bleeding edge hardware - 5+ years old at this point.

          The trick is to use the nvidia Docker runtime [nvidia.com] and give the Plex container [docker.com] the NVIDIA_DRIVER_CAPABILITIES and NVIDIA_VISIBLE_DEVICES environment variables. CUDA is so stupidly efficient at video transcode that even a 5 year old GPU is more than capable of sustaining multiple 4k streams at once - I think I can comfortably fit 4 H.265 conversions ont

    • How is that fancy cloud service/app working out now?

      Just fine... I'm not sure what you're going with here. Ooooh people's email were exposed, and precisely no other impact. Whoop de fucking do. I expose my email every time I send an email.

  • by Anubis IV ( 1279820 ) on Wednesday August 24, 2022 @01:32PM (#62818573)

    The original headline at The Verge is incorrect, and though they've posted a correction at the end of the article, they haven't updated the headline to reflect that they got it wrong.

    Plex doesn't store encrypted passwords. Plex doesn't even store passwords at all. They store password hashes, which are presumably salted given that their announcement to customers says that they were stored in accordance with industry best practices. Here's the relevant part from the email that I—and presumably many of you as well—received a few hours ago:

    What happened

    Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

  • by atol ( 620255 )
    Mail, what mail? I am using PLEX and did not receive any mail.

"In my opinion, Richard Stallman wouldn't recognise terrorism if it came up and bit him on his Internet." -- Ross M. Greenberg

Working...