We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.
What happened
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
What we're doing
We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.
What you can do
Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password [here](https://support.plex.tv/articles/account-requires-password-reset/?utm_source=Plex&utm_medium=email&utm_content=reset_password&utm_campaign=sql_db_password_reset).
We'd also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling [two-factor authentication](https://support.plex.tv/articles/two-factor-authentication/?utm_source=Plex&utm_medium=email&utm_content=reset_password&utm_campaign=sql_db_password_reset) on your Plex account if you haven't already done so.
Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses.
For step-by-step instructions on how to reset your password, visit: https://support.plex.tv/articles/account-requires-password-reset Thank you,
The Plex Security Team
If anyone is curious, then alternatives like Jellyfin exist. It's a bit different and may not have all the features you need, but it works quite well in my experience.
But otherwise I've switched to Infuse[2] since then, it indexes sources reliably on its own (no manual editing though) and saves the entire need for a server if you use it with some cloud storage. Basically replaced my Plex server, with the added bonus of out-of-home streaming without needing high upload. The major disadvantage is that it's Apple-only.
1: https://support.plex.tv/articles/207538527-do-i-need-a-plex-... 2: https://firecore.com/infuse
For this infuriating reason, moving off of Plex is on my to-do list.
Being hard of hearing, subtitles are a big deal. I wonder if this is an ADA violation?
Normal people also want to have features like remote streaming, subtitles fetching, familly sharing, etc which are hard to do without centralized accounts. Not even mentionning securing your paid features which you have to do to survive. And that customer doesn't care about the login as long as it is up.
I don't anything plex could do to please this particular demand would ever be enough so for me they do well to ignore it since removing that would effectively kill their business.
I did pay for Plex prior to the cloud auth change, so for me it's a bait and switch, but my concerns are much more about privacy.
One day Plex will be bought by a large media company, and my (and my kids') viewing data and library catalogue data will be owned by MGM, Disney, Fox, etc...
1: https://github.com/jellyfin/jellyfin/issues/5415
Jellyfin may not be perfect but surely it's good enough for most use cases.
I've tried using Plex before and while the UI is nice, they don't seem to be able to write a video transcoder that doesn't have massive stuttering in it.
Jellyfin's DVR service is horrible compared to Plex. Practically unusable. And DVR is the reason I pay for Plex.
I use a password manager with a very long randomly generated password for everything, so a hashed password leaking is essentially meaningless to me. Notifying me immediately so that I can change it ASAP is what matters.
The burner e-mail I use for stuff like this is listed in 25 other data breeches, too. I don't really care. Plex is amazing software.
I don't really understand the freak outs here.
With regard to complex passwords, Plex is one of those accounts that using a random password is quite cumbersome since my kids and I are often connecting new devices that don't access the password manager. We also use it on smart TVs while on vacation. We use a unique, but simple to remember password.
The problem with Plex is that they force you to use cloud auth even if you self-host despite that not being necessary at all for those many of us that self-host. I don't have any other server I host that requires this. The local LAN login they claim works without auth doesn't work for most devices nor across subnets.
It means I cant access Plex when the isp is down and it means Plex sees my library and my kids' activity (which I don't like for privacy reasons), despite having paid for lifetime Plex before this was a requirement.
Think about the Plex as a business that may very likely get acquired one day by a large media corporation. What happens to my data then? Will they ask me to verify my ownership of content I host(ed)? They are already pushing commercial "free"content to my kids, which is exactly what I was trying to get away from.
Isn't that what plex.tv/link is for?
Because most people reuse the same email address and password, and are potentially way more exposed than you are.
In 2022, your data isn't safe. It's widely known your data isn't safe. You need to take steps to make it matter less when its mishandled.
Don't get me wrong, the Plex infra team should feel bad about themselves, but if this breach in anyway compromises anything else in your life other than your media center -- and if your hashed password gets cracked -- then that's on you in my opinion.
Now, should I have been smarter and used a burner email address and username unique to Plex? Definitely. But I signed up with them like 10 years ago.
First I thought of the pants that the crew of the Enterprise wear and second was the diaper thing that the monkey you use to save in Mega Man Legends wears[0].
(As an aside, an image search for "data star trek" will have you believing that he does not wear pants on that show.)
[0] https://duckduckgo.com/?t=ffab&q=data+mega+man+legends&atb=v...
As of Aug 23 11:24PM PST, Password change page is sort of working, at times displaying error message "Internal Server Error. Something went wrong on our end". I was able to get my request through. Shortly after, a server instance started showing unclaimed status and reassociating it resulted in "Plex is down for maintenance \ Don't worry, it will be back soon \ status.plex.tv".
[1] https://twitter.com/troyhunt/status/1562329358282285057
Deleted Comment
http://www.spamcop.net/w3m?action=checkblock&ip=192.254.122....
> System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
Sounds like their spam trap is broken.
On July 27th, I received ~7 emails, about 10 minutes apart, warning me of a new device logging in my Plex account. It didn't correlate with any activity on my part, and the IPs were all over the place (for context I'm in France). Here is some of the IPs that were used :
Fortunately the password is only used on Plex, and I just generated a new one and signed out my devices, and that was it.They will say "we have evidence that a subset of x/y/z data was accessed". You might think that means they have evidence that the other data wasn't accessed, but what it means is that they only currently have explicit indicators of certain data being accessed (such as a exported zip file that bad actors forgot to delete, or the log of one sql query, etc). It really means very little, and companies (internally) usually assume everything on the breached server was accessed, even if externally they only report on obvious breadcrumbs.
They also say "We detected access on xyz date and immediately worked to close the vulnerability". You might think this means that they know that this was they have evidence that this was the first access, but it only means this was the first obvious alert they noticed and responded to. There might be earlier accesses (even some they already know about).
They are intentionally vague to limit their legal liability. This is why laws must be passed to compel full disclosure.
> all account passwords that could have been accessed were hashed and secured in accordance with best practices
Now an attacker cannot get a hold of email addresses easily.
Security is about layers. Simply because a hacker “could” do something, does not mean it’s a bad idea. Getting the encryption key when it’s not stored in the database requires the hacker to now have access not to just the database but to another system as well.
Some of those practices may be generally applied for non-healthcare settings as well.
The relevant parts of HIPAA are the duty to not disclose PHI to unauthorized recipients and breach notification requirements if you do incorrectly disclose PHI (the HIPAA breach notification rule).
The magic of encryption is that HIPAA provides safe harbor if the data stolen/lost/intercepted was encrypted to certain standards. So if you lose an encrypted hard drive full of PHI, or someone breaks into your servers and steals encrypted data but not the decryption capability, then it's not considered a breach under HIPAA and you do not need to notify anyone.
Tons of PHI isn't stored encrypted at rest. Physical theft of the hard drive from the practice's back-end EHR database server hasn't generally been high priority on the HIPAA breach potential risk assessment list. But nearly all data in transit, on employee laptops, etc. will be encrypted, because that's where you want the safety net of the safe harbor provision.
https://support.apple.com/guide/icloud/what-you-can-do-with-...
Hardcoding a key would be a bad idea. You would need some way to rotate keys. Maybe also encrypt the actual data encryption keys under another key encrypting key.
But this only defends against attacks which can't get that key (e.g. a SQL injection attack that just dumps table contents).
Having said that, you only need to decrypt if you want to send an email, for logging in you could just store a one way salted hash.
More importantly, this is a lot of effort to protect data that isn't usually regarded as that sensitive (unlike the passwords). If I had the security budget to do that, I'd almost certainly spend it on something else.
It sounds like payment data was stored in a separate database that had a different set of credentials (for this I am grateful).
Thanks to The Plex Security Team for providing details quickly.
> Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
Edit: Not sure why I would be getting down-voted for this. Security breaches are a big deal, but if the only result of this for the users is that we need to change our passwords that's a fairly good outcome, no? :-) The biggest hurdle ahead for Plex is to figure out exactly what these attackers did, if they were directly targeted and for how long they were in their network. A lot of the times a incident is discovered it's discovered a long time after the first breach (based on my own personal experience)
Understand that sending emails that are not SPAM, to potentially millions of people is NOT a trivial exercise.