Plex breach exposes usernames, emails, and encrypted passwords

In a new piece of news, streaming media platform Plex sent an email to its customers today notifying a security breach in which account information including usernames, email addresses and passwords could be compromised.

Plex’s message said that all account passwords that could be accessed were hashed and secured in accordance with best practices. It is still advising all users to change their password immediately.

Plex is one of the largest media server apps available that is used by approximately 20 million people to stream video, audio and photos, as well as a growing number of content services provided to paid customers.

The email said that yesterday we found suspicious activity in one of our databases. We immediately launched an investigation and it appears that a third-party was able to access a limited subset of data which includes email usernames and encrypted passwords.

There is no indication that any other personal account information has been compromised and no mention of access to private media libraries which may or may not contain pirated material, private nude and other sensitive material.

Plex’s email also assures customers that financial information appears to be secure despite the breach, which states that credit card and other payment data are not stored on our servers at all and were not unsecured in this event.

The cause of the breach has been found and Plex says it has taken action to prevent others from taking advantage of the same security flaw. We have already addressed the method it uses to gain access to third party systems.

We are conducting additional reviews to ensure that the security of all our systems is further strengthened to prevent future intrusions. If you have a Plex account, you should follow these company instructions immediately.

If you haven’t already enabled two-factor authentication, you should enable it as well. Plex puts two-factor authentication options under your account page, so you can easily access unique hard-to-guess passwords and 2FA codes across all of your apps, services, and sites. You should use a free or paid password manager to manage this.

Web browsers such as Google Chrome, Microsoft Edge, and Safari all have good built-in options these days, although there are also dedicated services such as Bitwarden 1Password and LastPass. Some password managers let you manage passwords that have been breached online.

Autofill password update when prompted by apps and websites on your desktop and phone Aug 24 10:14AM ET: Updated Clarify that passwords were potentially included in accessed data Plex claims best practices to hash and was secured accordingly.

Leave a Comment