Plex Urges Password Reset Following New Data Breach
â–Ľ Summary
– Plex has suffered a data breach where a hacker accessed customer authentication data, including emails, usernames, and securely hashed passwords.
– The company recommends all users reset their passwords and enable the option to sign out of connected devices for security.
– Users logging in via SSO should sign out of all active sessions and then log back in on their devices.
– Plex confirms no payment card information was compromised, as it is not stored on their servers.
– This is the second similar breach for Plex, following an almost identical incident in August 2022.
Media streaming service Plex is advising all users to reset their passwords immediately following a newly discovered security incident. The company confirmed that an unauthorized party gained access to a restricted portion of its database, making off with customer authentication details. This marks the second time in just over a year that Plex has faced such a breach, raising concerns among its user base.
According to an official notification, the compromised information includes email addresses, usernames, and securely hashed passwords. Plex emphasized that the exposed passwords were protected using industry-standard hashing methods, meaning they were not stored in plain text. Still, the company has not disclosed which specific hashing algorithm was in use, leaving open the possibility that determined attackers might attempt to crack them.
Out of what it describes as an “abundance of caution,” Plex is urging every user to visit https://plex.tv/reset to change their password. When doing so, customers should also select the option to “Sign out connected devices after password change”. This step ensures that all active sessions are terminated, requiring fresh logins across every device. While this adds a layer of security, it does mean users will need to re-authenticate on all their Plex-enabled gadgets.
For individuals who use single sign-on (SSO) to access their accounts, the recommendation is slightly different. They should navigate to https://plex.tv/security and select “Sign out of all devices” to invalidate existing sessions. Afterward, a new login will be required on each device.
Plex is also using this moment to remind subscribers about the importance of enabling two-factor authentication for stronger account protection. The company reiterated that it will never request sensitive information like passwords or credit card numbers via email. Fortunately, no payment data was exposed in this incident, as Plex does not store such details on its servers.
Although the vulnerability that allowed the breach has been patched, the company has not released technical specifics about how the intrusion occurred. This incident echoes a similar security event that took place in August 2022, when user credentials were also compromised. Plex continues to investigate the latest breach and has promised to share more information as it becomes available.
(Source: Bleeping Computer)
