Plex suffers data breach, warns customers to change passwords

History appears to be repeating. Plex has announced that it has suffered a security breach, exposing user data. The last time this happened was in 2022, and users are being advised to change passwords as soon as possible.

The company is referring to it as a “security incident that may potentially involve your Plex account information”. While Plex tries to downplay the severity of the breach, the fact that “an unauthorized third party accessed a limited subset of customer data from one of our databases” is concerning – especially when you consider that this is not the first time.

The media streaming platform has emailed customers, and also published an advisory on its web site. Damage limitation comes in the second line of the post: “We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure”.

Plex continues:

While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.

Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account. Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.

Plex under attack again

The company says that it has already determined how the breach happened and has “addressed the method this third party used to gain access to the system”. It goes on to tell customer to take action to protect their accounts

• If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
• If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

At the moment, there is no information about who is responsible for the attack, nor has Plex said how many customer accounts have been affected. The company says that it is taking steps to further strengthen its security, but this will be little comfort to customers who have been hit by two significant breaches in a relatively short space of time.