Plex Data Breach: Users Urged to Change Passwords, Upgrade Servers
▼ Summary
– Plex experienced a data breach where an unauthorized party accessed customer emails, usernames, and securely hashed passwords.
– The company advises users to reset passwords, sign out of all devices, and re-sign in, with SSO users also needing to re-authenticate.
– Server owners must update to version 1.42.1 to fix a vulnerability and reclaim their servers to restore user access.
– Credit card data was not compromised, but stolen information could be used for phishing, and Plex will never ask for passwords via email.
– Plex has contained the incident and made database adjustments, though specific hashing practices and authentication data details remain unclear.
Media streaming service Plex has confirmed a security incident involving unauthorized access to customer information, prompting the company to advise all users to reset their account passwords immediately and enable two-factor authentication for enhanced protection. The breach, which was quickly contained, exposed emails, usernames, and securely hashed passwords, though no payment information was compromised.
According to an official statement posted on the company’s forums and emailed to users, a limited set of data was taken from one of Plex’s databases. While the exact hashing methods weren’t detailed, the company assured that passwords were protected using industry-standard practices. All users are urged to change their passwords, log out from all devices, including any personal Plex Media Servers, and sign back in with updated credentials. Those using single sign-on should also complete a fresh login to ensure session security.
Server administrators face additional steps following the breach. Plex has implemented changes that temporarily restrict standard users from connecting to servers they previously had access to. This measure is intended to encourage server owners to update their software to version 1.42.1, which patches a critical vulnerability (CVE-2025-34158) that could allow authenticated remote users to tamper with server data. Once upgraded, access for other users will be restored automatically.
The company’s approach suggests they believe the inconvenience to shared users will motivate server administrators to apply the necessary updates promptly. This strategy may prove effective, as outdated servers pose a continued risk even after the initial breach is resolved.
Users should remain vigilant for potential phishing attempts following the incident. Although financial data was not stored or accessed, exposed emails and usernames could be used in targeted scams. Plex emphasized that their staff will never request passwords or payment details via email, and any such messages should be treated as fraudulent.
The full scope of the compromised “authentication data” remains unclear, and inquiries into Plex’s specific security practices are ongoing. One possibility is that session tokens were affected, which would justify the recommendation to sign out and back in across all devices. Subscribers are encouraged to stay informed about further developments as the situation evolves.
(Source: HelpNet Security)
