Plex, a popular personal media server and streaming platform, has disclosed a recent security incident that exposed limited user account data.
In an official announcement, the company stated that an unauthorized third party accessed one of its internal databases. While the breach was contained quickly, the affected data includes usernames, email addresses, hashed passwords, and some authentication-related information.
Plex confirmed that no payment information or credit card data was compromised, as such details are not stored on their servers.They also noted that early detection and response limited the impact.
Scope
According to Plex, the breach impacted a “limited subset” of user accounts. Although the compromised passwords were hashed using current best practices—which makes them unreadable without extensive decryption—the company is urging all users to reset their passwords as a precaution.
Plex’s investigation found that the attacker gained access through a specific vulnerability, which has since been addressed. The company is also conducting a broader security audit to strengthen its systems against future attacks.
Plex has issued recommendations based on how users sign into their accounts:
For users who log in with a password:
- Reset your password immediately via https://plex.tv/reset
- Enable the “Sign out connected devices” option when resetting. This will log out all active sessions, including Plex Media Servers, and require re-authentication.
For users who use Single Sign-On (SSO):
- Visit https://plex.tv/security
- Click “Sign out of all devices” to end all active sessions
After completing these steps, users will need to sign in again on all devices.
Plex is additionally advising users to take the following additional precautions, such as enabling two-factor authentication (2FA) on your Plex account for added security, being wary of phishing emails as Plex will never request password or payment via email, and changing your password on other sites if they shared the same Plex account password.
Some users have reported minor issues during the password reset process such as reset email not arriving (if still logged into Plex via a browser, can manually change your password from the Account Settings page) or receiving a “Not Authorized” error on your Plex Media Server (typically means the server needs to be reclaimed)
Plex has apologized for the incident and emphasized that early detection and response limited the impact. The company says it is committed to transparency and strengthening its internal security measures to prevent similar incidents in the future.
For the full disclosure as well as guidance on recommendations, visit their official forum post on their website.
Leave a Reply