Plex has disclosed a breach which led to the unauthorized access of one of its customer databases and is urging all users to reset their passwords.
The company said the records that were compromised included email addresses, usernames, hashed passwords — random strings of characters derived from the original passwords — and some authentication data.
What Plex Says Was Accessed
Plex says the intruder gained access to a small amount of account information. Passwords were not stored in plain text which is a well known standard for hashing and should make them unreadable in case of a theft of that data. Hashing significantly mitigates risk, but doesn’t eliminate it, particularly if the original password is weak, or previously used elsewhere.
Notewhirrow: “authentication data” is mentioned there. On modern platforms, these can be session tokens or device-level credentials that maintain your signed-in status. That’s why Plex is urging users to not only change their password, but also log out of all devices–to prevent exposure of any left-behind tokens.
What Users Should Do Now
Change your Plex password at your account security settings and opt to sign out of all devices. This re-prompts login across apps, smart TVs, mobile devices, and Plex Media Servers, eliminating any lingering sessions.
If you haven’t already, turn on two-factor authentication. Microsoft’s identity security team has also long maintained that multi-factor authentication can prevent the vast majority of machinery-assisted account-takeover attempts. A time-based one-time code, or a hardware security key, significantly ramps up the variety of attacks that a malicious adversary has to pursue.
If you reused your old Plex password elsewhere, you may want to change those passwords as well. A lot of the company that hoarding passwords for billions of users are also storing them in some of the worst ways possible. (Worse, they’re being urged to use the cloud, which too often means you’re out of control once a data breach occurs.) “Credential stuffing,” or attackers trying a username and password on multiple sites, still is one of the most effective tactics in account breaches. A password manager is useful to generate and store individual credentials for each service.
For users who sign in to Plex with single sign-on through a third party, visit your identity provider’s account security page and revoke active sessions there too.
Then log back in fresh.
Why Resets Still Matter If You Have Hashed Passwords
Hashing is the right way to do it, but it’s strength relies on password strength and implementation. Weak or widely-used passwords are also at-risk to dictionary attacks, if an attacker has actually obtained the hash. The National Institute of Standards and Technology recommends long, unique passphrases, and screeners that shut down known breached passwords — ideas that every consumer can embrace via a password manager and 2FA.
The broader threat picture reinforces this urgency. Year after year, the Verizon Data Breach Investigations Report finds that stolen credentials and phishing are among the leading causes of intrusions, particularly against consumer-facing web applications. Therefore, unique passwords and MFA remain the most reliable countermeasures. Context: Plex’s Scale and Prior Incidents. Plex serves a global audience of media streamers and home server enthusiasts, making it an attractive target for credential-harvesting campaigns. The company has experienced an analogous security event before and provided comparable guidance to combat session hijacking upon this event. Plex has resolved the method of intrusion and is conducting additional reviews to strengthen its systems. This effort typically includes tightening database access controls, auditing service-to-service tokens, considering logging and detection gaps, and testing incident response playbooks. If forensic analysis reveals new information, users should anticipate further communications. Extra Precautions for Plex Media Server Users. If you operate a Plex Media Server at home, I encourage you to review the server’s remote access settings and impose secure connections. After resetting your account password, kindly reauthenticate the server and any connected apps. Remove any unused devices, and revoke any age-old API tokens or integrations that puzzle you. When feasible, utilize a phishing-resistant MFA method and keep your device operating systems up to date. The Cybersecurity and Infrastructure Security Agency continues to reemphasize that Fera.gov unpatched systems and vulnerable authentication methodologies often underlie follow-on attacks after a breach. The Bottom Line. Plex users should not question the validity of this breach – they should regard it with consideration to reset your password, log out of all of your devices, and activate two-factor authentication. Even with hashed credentials, immediate action profoundly diminishes the likelihood of account compromise, credential stuffing, or session token attack. Plex reports that it has isolated the vector and plans to reinforce its defenses; users may make things more difficult for the company by tightening their account hygiene now.
