Plex has said it’s “highly likely” its servers were compromised and is advising users to change their passwords after suspected personal details of users, hashed passwords and some authentication tokens were found online.
The streaming and media server company said it has shut down the intruder’s access and patched the entry point, but it has not said how many accounts are affected nor given details about what information was stolen in terms of authentication tokens.
What Plex says happened
One of the company’s systems was accessed by a third party, who removed customer account records, according to the company. Plex called the swallowed passwords “scrambled,” which is another way of saying they were salted and hashed, and therefore unreadable in plain text. The company also cited “authentication data,” a term that might include session cookies, device tokens or API tokens to keep apps signed into TV, set‑top box and mobile apps.
Plex has suggested users reset passwords and sign‑out of associated devices, but has not enforced a system‑wide password reset. That’s significant because many services that lose account data — even in hashed form — will proactively invalidate all passwords and sessions, to wipe out all remaining risk. Plex, which claims to have around 25 million users worldwide, has not publicly said when the breach took place, how long the attacker had access, or if the intrusion extended beyond its own systems.
Why “scrambled” passwords are still good
Hashing is an essential control, but it’s not a panacea. The level of security varies for different hashing algorithm, salt practices, password complexity. Even with modern algorithms such as bcrypt or Argon2, weak or reused passwords can be cracked offline once attackers have a copy of the hash database. For years, security researchers and cracking benchmarks (including widely-cited analyses from Hive Systems, among others) have demonstrated that short, popular passwords fall immediately to GPU‑accelerated attacks, and overwhelmingly the same research has shown that long, unique passphrases withstand those attacks.
For most of us, the greatest threat is credential stuffing — attackers just automatically try leaked username‑password pairs on various other sites. Intruders use stolen credentials in most of the breaches that are investigated by Verizon, according to the firm’s Data Breach Investigations Report. If a Plex password is reused, the damage could go far beyond a media library.
What Plex users should do now
Immediately change your Plex password and make it a unique one. Prefer a 12-16 character long passphrase containing maybe a few random words or characters. A reputable password manager will be able to create this passphrase for you and store it, and it can help you find and change any accounts where you may have used the same password.
Enable two‑factor authentication on Plex. Time‑based one‑time codes provided by an authenticator app are a strong second factor and can stymie many account‑takeover attacks, even if a password is out in the wild.
That and to sign out of all devices in your account settings and sign back in. This marks old sessions as invalidated and regularly updates tokens that may have been disclosed. Re‑authorize any integrations or third‑party applications (such as mobile remotes or media managers) connected to Plex, and deny access for anything you don’t recognize.
Be alert to phishing. Attackers frequently weaponize breach news to deliver convincing fake emails that urge you to “verify” your account. Go directly to Plex’s official app or site instead of following links in messages and check any security warnings in your account dashboard.
Keep an eye on your email for suspicious attempts at password resets, and consider subscribing to breach notification services, such as Have I Been Pwned (haveibeenpwned.com), to get alerts whenever your address turns up in new data sets.
Watching for sign‑in notifications from other services that use the same email address.
The security perpective towards Plex’s response
By not requiring universal password reset you’re making things easier on your users, but there also remains vulnerability granted even a small fraction hash or tokens are crackable, or exposable for reuse. Forced logouts across all devices, global password resets and a public post‑mortem about what data was accessed and what controls were put in place are all typical features in industry playbooks. In recent high‑profile incidents – whether at identity or consumer platforms – such techniques helped to bind wounds and cease attacker’s’ persistence and restore user confidence.”
Discrete breach disclosure obligations also exist in most jurisdictions that provide for timely notification and details regarding the affected categories of data. Groups like the Identity Theft Resource Center collect databases of when data gets compromised and point to how incomplete the information can become to thwart consumer protection efforts. More details — from the hashing algorithm employed to whether device tokens were revoked — would help Plex’s customers assess their potential exposure.
What to watch next
Users will need to watch for Plex to say more about how terrible the breach was, what type of authentication data was taken, and whether a session invalidation is in order. A technical write-up describing the attack vector and hardening measures (more restrictive rate limiting, better anomaly detection, the ability to contain and revoke widely-used tokens) would help give us confidence that the root cause has been eliminated.
Until then, the best defenses are in the hands of the user: unique passwords, two‑factor authentication and a quick sweep to end old sessions. Since credential misuse is the cause of so many account takeovers, those steps will pay off on Plex — and anywhere else you sign in.
