[German]Short addendum to an unpleasant security topic. Yesterday it became known that there was a security incident at the provider Plex (streaming service, media server). It seems that attackers managed to access some of the data of the user base of this provider. In the process, usernames, emails and the encrypted passwords might have been leaked. Plex users are urged to change their passwords for Plex access as a precaution.
Advertising
I already came across the info yesterday, but was out of the office. In the meantime, blog readers (thanks to Knut S. and Michael T. for pointing it out) have alerted me to the issue. It seems that Troy Hunt has also fallen victim to this security incident, as I can see from the following tweet.
Who is Plex?
For noobs like me, a quick explanation: Plex is an American streaming media service and client-server media player platform from Plex, Inc. The Plex Media Server organizes video, audio, and photos from a user's collections and online services and streams them to the players.
The Plex data breach
Plex, arguably notified its user base via email of a data privacy incident. On August 23, 2022, Plex discovered suspicious activity in one of their databases. An investigation was immediately launched, and it appears that an unauthorized third party was able to access a limited subset of data that included emails, usernames, and encrypted passwords. Credit card and other payment data were not stored on the servers and were not compromised in this incident.
Although all passwords that could have been accessed were encrypted and secured, as a precaution Plex is requiring all users to reset their passwords for Plex accounts. The full text of the August 24, 2022 English-language mail to users was provided to me by two affected parties and can be viewed below.
Advertising
Action required: Important notice of a potential data breach
Dear Plex User,
We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.
What happened
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
What we're doing
We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.
What you can do
Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password here.
We'd also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven't already done so.
Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses.
For step-by-step instructions on how to reset your password, visit
Thank you,
The Plex Security Team
