Plex Suffers Security Incident Exposing User Data and Urging Password Resets

BrianFagioli shares a report from NERDS.xyz: Plex has alerted its customers about a security incident that may have affected user accounts. In an email sent to subscribers, the popular media server company confirmed that an unauthorized third party gained access to one of its databases. The breach exposed emails, usernames, and hashed passwords. Plex emphasized that passwords were encrypted following best practices, so attackers cannot simply read them. The company also reassured users that no credit card data was compromised, since Plex does not store that information on its servers. Still, out of caution, it is requiring all account holders to reset their credentials.

Users are being directed to reset their passwords at plex.tv/reset. During the process, Plex recommends enabling the option to sign out all connected devices. This measure logs out every device associated with the account, including Plex Media Servers, forcing a fresh login with the updated password. The company says it has already fixed the method used by the intruder to gain entry and is conducting additional security reviews. Plex is also urging subscribers to enable two-factor authentication if they have not already done so.

Re:

[olsmeister]

Many credit card companies offer 'virtual' card numbers that link to your account but are basically temporary card numbers.

Re: no credit card data was compromised

[Lobotomy656]

In Europe we have those cards for a LONG time. I think I've had mine for around 15 years and use it for every online transaction and subscription. Card is a debit one and empty so they can't steal anything. I have to add money to it from my main account and can do it through an app.

Re:

[mprindle]

We use Privacy, one card per vendor that is locked to them on first use plus flexable spend limits and quick pausing/closing of cards.

Again?? 2015 all over again...

[blahbooboo2]

Plex was hacked in 2015 too. 10 years isnt too bad a run between security breaches?

https://www.twingate.com/blog/... [twingate.com]

Grading on a slippery slope

[abulafia]

That's a terrible thing to say.

No, really.

First, a breach of your email address is normally going to be far less damaging than, say, medical records showing failure to comply with Texan birthing-vessel policy. You really want to look at the magnitude of the breach before comparing.

Second, no, if you're soliciting PII from people, you have a duty to protect it. "Only" failing once in a while is not acceptable.

Third, soliciting PII from users of home theater software serves no functional purpose. Deman

Re:

[itsme1234]

"In August 2022, a Plex data breach exposed users' emails, usernames, and encrypted passwords after a cybercriminal gained access to a database. Plex responded by requiring all users to reset their passwords and assured that no payment or credit card data was compromised."

Re:

[AmiMoJo]

I don't understand Plex. Why would I use it over the many alternatives?

Re:

[Slyfox696]

I don't understand Plex. Why would I use it over the many alternatives?

There are several reasons.

1. The biggest one for many...because you are a long time user and it is what you know.
2. Plex is a more polished product.
3.Plex, particularly with Plex Pass (which I bought Lifetime for around $100 over a decade ago), has more features than alternatives.
4. Plex has better (read: better, not good) support for subtitles.
5. Some people like the free TV additions.
6.It is, generally speaking, easier to install/set up.
7.It is the most popular media server, which means it has more

Re:

[AmiMoJo]

I see people use it for the transcoding, but I just use Kodi that plays everything directly. No special server, just a normal filesystem over the network.

Re:

[Slyfox696]

I see people use it for the transcoding, but I just use Kodi that plays everything directly. No special server, just a normal filesystem over the network.

I haven't checked in a while, but isn't Kodi simply a media client, and not a server? What if you have family who want access to the media? What if you want to limit what media different members of the family can see (for example, I don't want children to see my Dexter collection). What if you want your settings to be consistent across all your devices without having to touch all your devices? What if you want to watch your media outside the home?

Kodi is a fine product, but I don't see it as a comparison to

Re:

[AmiMoJo]

Network shares, soft links. I don't care about settings sync.

I see why people want that integration though.

Re:

[pak9rabid]

This is the way

Re:

[Chris Mattern]

Well, it's very good if you play Eve Online. [eveonline.com]

And you can't log in!

[TheWanderingHermit]

Clicked to update my password - now the Plex site login won't work at all. I don't mean it won't take the new PW. I mean you can't get the login page.

Not surprised, really. So freaking many bugs in Plex that never get fixed I've questioned their code quality for a while now.

Bye bye Plex

[RUs1729]

I stopped using it when they decided they would charge for letting you stream your material outside your network. Moved to Jellyfin, which does what I need and want, and the move was easier than I thought it would be.

Re:

[GameboyRMH]

Not using Plex is the gift that keeps on giving. Why so many people went for it when there were better open-source alternatives available, I'll never know.

Re:Bye bye Plex

[SeaFox]

Why so many people went for it when there were better open-source alternatives available...

I like how you phrase this like Jellyfin has been around as long as Plex, and is as mature in its development. For many people, Jellyfin wasn't really "there" until version 10.9 -- and that was less than two years ago. Many people had Plex servers up and long established before then, and see no reason to change after investing lots of time in their existing setup. The main complaints driving people to Jellyfin now are:

1) The addition of advertising-supported streaming content.
2) The recent push to make the ecosystem into some lame social media network revolving around TV/movies.
3) The most recent changes to pricing and remote access no longer being free.

  - You can disable the first one at the account-level very easily.
  - You can also hide/disable the effects of the second and set privacy settings to tamp it down.
  - And for anyone who already had a Lifetime Plex Pass, the third is a non-issue.

Re:

[xeoron]

Plex Lifetime Pass is worth it when you know you are paying to support the developers (use to be around 79 bucks), plus being able to cache content to a phone for offline play is so worth it for listening to audio books or personally owned music (Jellyfish last time I checked did not have this feature). Plex will let you cast to a smart speaker a video and thus it becomes a "radio" like broadcast version, which is really nice when you want to hear things yet not display them.

Re:

[ZERO1ZERO]

> they decided they would charge for letting you stream your material outside your network

uh what? Been using plex for years, inside, outside, network, other people, family members. No one is paying anything for plex except me who purchased a lifetime subscription about 10 years ago. You don't need to pay anything to stream plex. What on earth are you talking about?

Re:

[SScorpio]

If you didn't have a full Plex Pass sub connected, then the external users would be getting prompted to pay for a streaming sub to allow streaming. Which was a new change earlier this year. Previously there was a one time purchase of a mobile app. These are now free, but there is the "streaming access only" sub that doesn't include the extra features of the full Plex Pass. I think people who previously bought the apps still require these subs now.

Jellyfin on the other hand just needs someone to configure a

Re:

[ZERO1ZERO]

> If you didn't have a full Plex Pass sub connected, then the external users would be getting prompted to pay for a streaming sub to allow streaming. Which was a new change earlier this year. Previously there was a one time purchase of a mobile app. These are now free, but there is the "streaming access only" sub that doesn't include the extra features of the full Plex Pass. I think people who previously bought the apps still require these subs now.

you can still stream to friends/family without plex pa

Re:

[SScorpio]

No that's not correct. Anyone can stream to any device IOS, Android, web, etc on the same network the same as before without a sub of any kind.

But now if you want to stream outside of your home network you need a subscription. If the server owner has the full Plex Pass associated to the server like you do, then anyone can stream from it remotely without needing their own streaming subs.

The new "Remote Watch Pass" is $1.99/month or $19.99/year with no lifetime option. https://www.plex.tv/plans/ [www.plex.tv]

This was chang

Re:

[ZERO1ZERO]

Wow. I did not realise this thank you for the info. The enshittification is strong on this one. Wow. that's awful. well i guess the plex pass lifetime is still worth it for now.

I also tried jellyfin in the past, but way too much friction to make it work properly, plex was super easy. Somebody above said something like, oh you 'just need to setup a VPN' great - and good luck getting grandma to configure her system to connect in a VPN. etc etc

Re:

[ZERO1ZERO]

> Jellyfin, which does what I need and want, and the move was easier than I thought it would be

I 100% gaurantee it's not as easy as Plex to get running on what ever random TV my extended family has. Given Jellyfin apps don't even exist for some TV brands jellyfin is complete non-starter. If a user can't download the app, and sign in then it's already losing vs Plex.

Re:

[sinkskinkshrieks]

Except Plex Pass Lifetime includes Remote Watch [reddit.com]... so I guess you switched for nothing.

Second time in 3 years!

[gabrieltss]

They didn't learn from the compromise in August of 2022 (that forced the same thing) did they! Plex doesn't seem to learn ANY lessons! I think it's high time a better competitor comes along that knows something about a thing called SECURITY!

Re:

[sinkskinkshrieks]

Go for it. Like use wireguard and secure port knocking for any sort of infrastructure maintenance access, write the backend(s) in Elixir and Rust, follow careful OWASP recommendations for security processes, and manage developer devices carefully with client platform engineering principles.

I'm planning on setting up a media server

[wwphx]

And this reinforces my plan to not use Plex.