What you need to know:
- Plex says a third-party was able to access a database that included "emails, usernames, and encrypted passwords."
- The service says it stores hashed passwords, and that it is requesting users to change their passwords "out of an abundance of caution."
- Plex confirmed that credit card and other payment data was not affected.
Media streaming service Plex is the latest to be hit with a data breach. In an email sent out to customers, Plex says that a "third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords."
Plex says that the passwords were "hashed and secured in accordance with best practices," but it is recommending that all users change their passwords "out of an abundance of caution." It didn't reveal how many users were affected in the breach, only noting that credit card and other payment information wasn't stored on that particular server, and as such it wasn't accessed.
Plex notes that it addressed the issue that allowed the third-party to gain access to the database in question, and that it is conducting "additional reviews" to ensure its systems are "further hardened to prevent future incursions."
If you use Plex, you should go ahead and reset your password. Given the frequency of data breaches, you're better off using a password manager to create unique passwords — we've highlighted the best password managers, and if you need a recommendation, I'd suggest going with Bitwarden.
Plex has a how-to page detailing how to reset your password, and if you haven't done so already, now is a really good time to set up two-factor authentication for your account.
Here's the email Plex sent out:
"Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords."
"Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident."
"We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password."
"Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password."
"We'd also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven't already done so."
"Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses."
