Plex Breach Exposes Usernames, Emails and Encrypted Passwords

Streaming media platform Plex sent out an email to its customers earlier today notifying them of a security breach that may have compromised account information, including usernames, email addresses, and passwords. Although there is no sign that the encrypted passwords were exposed, Plex nevertheless is advising all users to change their passwords immediately. From a report: Plex is one of the largest media server apps available, used by around 20 million people to stream video, audio, and photos they upload themselves in addition to an increasing variety of content the service provides to paid subscribers. The email states, "yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords." There is no confirmation that other personal account information has been compromised, and there's no mention of private media libraries (which may or may not include pirated content, private nudes, and other sensitive content) having been accessed in the breach.

Re:

[Pascoea]

Streaming media platform Plex

You seriously couldn't make it through the first 4 words of the summary? Or the "Plex is one of the largest media server apps available, used by around 20 million people to stream video, audio, and photos they upload themselves in addition to an increasing variety of content the service provides to paid subscribers." in the 3rd line?

Re:

[thegarbz]

Plex is what now?

You must be new here. Plex has had multiple articles about it every year for nearly a decade.

Time to use VLC ig

[AkIonSight]

Self hosted software that you pay for? with a subscription? Definitely not a bad idea

Re:

[DarkRookie2]

I prefer Jellyfin. That has been working well for me so far.

Re: Time to use VLC ig

[wgoodman]

I'd switch if Roku, PS5, or Visio had clients.

Re:

[tgpo]

Roku does have a client: https://jellyfin.org/clients/ [jellyfin.org] Source Code: https://github.com/jellyfin/je... [github.com]

Re:

[Kokuyo]

Better than Plex and Emby for various and differing reasons.

I just wish it had more options... like telling the web client to cache the whole stream when you're driving through spotty reception.

Re:

[drinkypoo]

Last time I needed something like Plex the purpose was to stream media to my Xbox 360 (which I have long since sold, I sold all my console stuff to a shop at once and got decent money for it.) And then I found PS3MediaServer which did that job just fine.

I always thought Kodi had some kind of shared media library backend that was merely very difficult to get working, but now when I look for information on it I just find instructions on using emby or mezzmo. This is dumb AF. Kodi has all these many functions

Re:

[muh_freeze_peach]

^ Thanks for the tip. I've been wanting something to replace Plex for years.

Re:

[DarkRookie2]

Your welcome
There is also Emby [emby.media], but that looks like it is going to try to move to a similar model as Plex. Or at least those were the rumors I heard. They could've been baseless.
Jellyfin [jellyfin.org] handles what I want it to do just fine. So I stuck with it.

Linkage for the people

Re:

[msk]

Does Jellyfin display captions in Matroska containers? The Roku Media Player does not.

Re:

[DarkRookie2]

Yes. I would not use it otherwise.

Re:

[technix4beos]

Jellyfin is nice, agreed. I've been looking for decent Plex replacements for a few months now...

However, I was so impressed with Infuse 7 that I paid for a yearly subscription. It works very well, has a decent enough interface, and I don't have to manage a server software to accommodate sharing my media, other than setting up one-time SMB shares (with a user/password).

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Time to use VLC ig

[aitikin]

Self hosted software that you pay for? with a subscription? Definitely not a bad idea

Can my semi-technologically illiterate friends understand how to route to my server and get to the media I intend to share with them via VLC or similar? Definitely not. Plex is, and has been, a relatively simple system that passes the, "Could my 75 year old mother use this without calling me after it's setup?" test.

Additionally, I don't want to have to jump through the hoops of routing VLC when I'm not within my own network, don't want to navigate multiple, vastly different UIs to do DNLA on differing platforms.

I changed my password, but none of my critical information is associated with the account. I got their paid service lifetime membership about a decade ago, so all the credit info and everything is out of date. The only thing someone would've gotten for me is a throw-away email address that I use for things like this, and a password that I don't care about.

Re:

[Pascoea]

Plex is, and has been, a relatively simple system that passes the, "Could my 75 year old mother use this without calling me after it's setup?" test.

This right here is Plex's claim to fame. Back when XBMC required a hacked Xbox, and Plex was in its infancy as well, Plex was dead simple to install/use, and it just worked. I screwed around for quite a while to get XBMC to work, gave up and install Plex and haven't looked back.

re: Plex and ease of use

[King_TJ]

Yep... as a long time Plex user, I have to agree. The Plex "player/viewer" application is included or downloadable for free for most set-top TV boxes and smart TVs these days, which is a pretty big deal if you want your hosted content to be easy for the average user to enjoy.

My biggest "ease of use" gripe is the somewhat recent redesign of the menus in the Plex client (the one you'd install as the app for Windows or on iOS or Android). The default is to give you menus on the left-hand side of all the stream

Re:

[Anonymous Coward]

G'Day,
You do realise you can pin any menu item from a server and put it on your home screen.
Just use the left arrow on your controller when a menu item is selected and select the 3 dots and then select pin.
HTH

Re:

[aitikin]

Holy shit, a useful post by an AC!

I literally came here to point out that you can unpin their stuff and pin your own for King_TJ's benefit.

Re:

[King_TJ]

Except actually, I'm aware of the ability to pin menu items, and make use of that already.

Even with pinning them, you can't make them show as the main/top listed menu options though, which is what I want.

Tiered

[Comboman]

Self hosted software that you pay for? with a subscription? Definitely not a bad idea

To be fair, the Plex media server and most clients (except the phone ones) are all free. Subscription gets you DVR support and some bonus features like HDR, lyrics for music, etc.

Re:

[dontbemad]

Subscription gets you DVR support and some bonus features like HDR, lyrics for music, etc.

For me, the biggest benefit is hardware transcoding support. But similar to the other poster somewhere above, I paid for a $100 lifetime subscription years ago and haven't looked back.

For what its worth, I run Plex and Jellyfin side-by-side, and while I love that Jellyfin is opensource, it definitely lags behind Plex in both functionality, usability, and stability. I'm hoping they close the gap someday!

At least the second breach

[fred6666]

I change my email every time there is a breach like that, because the old email address end-up being spammed.

So first time I used whateverservice@whateverdomain.tld. With plex I was at myplex2@whateverdomain.tld. Now time to move to myplex3@whateverdomain.tld.

Hopefully there won't be a 4 anytime soon.

2FA authentication

[plate_o_shrimp]

I noticed today as I was changing my pw that they now offer 2FA. Maybe that's old news but I'm just discovering it...

Correction

[aerogems]

Password HASHES, not encrypted passwords.

Still not good, but not quite as bad.

Re:

[SirSpanksALot]

Depends how they made those hashes. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[dontbemad]

They mention "best practices" so I'm assuming (read: hoping) they mean something like a salted SHA256. Either way, this is a good lesson to use unique passwords for different services that are rotated somewhat frequently.

Re:

[ctilsie242]

The text seems vague, but I am going to assume that "encrypted passwords" would be a salt that is encrypted with someone's password, a la bcrypt. Hashing the password via SHA is a lot less secure as it makes it far easier to do brute force attacks.

Of course, the best way is having bcrypt, plus something like a "pepper" which is XOR-ed with the salt, and stored/used in some secure spot. That way, if someone dumped the disk, no matter what they tried, the passwords would not has to anything meaningful. Age

This is why ...

[PPH]

... very few services I use have anything more than a throw-away email address and a fake name for me.

- Charles U. Farley ("Chuck" to my good friends)

RoboForm is giving plex users 1 year free!

[fatalcharade]

Siber Systems a software company located in fairfax Virginia is giving away RoboForm Password Manager free for plex users: https://www.roboform.com/promo... [roboform.com]

So...

[NoWayNoShapeNoForm]

How is that fancy cloud service/app working out now? Kinda hazy?

Re:

[PsychoSlashDot]

How is that fancy cloud service/app working out now? Kinda hazy?

That fancy on-prem app is working out just fine, thank you.

Re:

[MachineShedFred]

You mean that containerized media server I have running on a Linux box in a closet, using hardware transcoding to play back multiple 4k streams simultaneously with less than 10% CPU utilization? Works great, thanks for asking.

As far as password changes go, this one took me about 10 seconds to actively log out literally every device using the old password, and about 5 seconds per device to get it linked back with new credentials by using https://plex.tv/link [plex.tv] and entering a 4-letter code. If anything, this

Re:

[Robert Goatse]

What hardware (CPU/GPU mainly) are you running to have multiple 4K streams at 10% utilization? I'm concerned about heat and power usage, so I go for low-mid end AMD CPUs with no graphics card.

Re:

[MachineShedFred]

CPU: AMD Ryzen Threadripper 1900X 8-Core Processor
GPU: NVIDIA GeForce GTX 1060 6GB

As you can see, not exactly bleeding edge hardware - 5+ years old at this point.

The trick is to use the nvidia Docker runtime [nvidia.com] and give the Plex container [docker.com] the NVIDIA_DRIVER_CAPABILITIES and NVIDIA_VISIBLE_DEVICES environment variables. CUDA is so stupidly efficient at video transcode that even a 5 year old GPU is more than capable of sustaining multiple 4k streams at once - I think I can comfortably fit 4 H.265 conversions ont

Re:

[thegarbz]

How is that fancy cloud service/app working out now?

Just fine... I'm not sure what you're going with here. Ooooh people's email were exposed, and precisely no other impact. Whoop de fucking do. I expose my email every time I send an email.

I'm perplex about this news

[nospam007]

No, really.

Passwords were hashed, not encrypted

[Anubis IV]

The original headline at The Verge is incorrect, and though they've posted a correction at the end of the article, they haven't updated the headline to reflect that they got it wrong.

Plex doesn't store encrypted passwords. Plex doesn't even store passwords at all. They store password hashes, which are presumably salted given that their announcement to customers says that they were stored in accordance with industry best practices. Here's the relevant part from the email that I—and presumably many of you as well—received a few hours ago:

What happened

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

Mail?

[atol]

Mail, what mail? I am using PLEX and did not receive any mail.