Plex suffers major data breach, urges users to reset their passwords

D

DragonSlayer101

Posts: 952   +13
Staff
What just happened? Plex, the media streaming company behind its namesake OTT platform and media server software, has confirmed a data breach in which an "unauthorized third party" accessed personal information of some customers. While the company has not disclosed the total number of affected users, the leaked data reportedly includes email addresses, usernames, passwords, and authentication details.

The company says all leaked passwords were protected with cryptographic hashing in line with industry best practices, meaning they cannot be read by unauthorized parties. Plex also confirmed that it does not store any credit card information on its servers, so no sensitive financial data was compromised in the breach.

Plex did not specify the hashing algorithm used but emphasized that there is no immediate security threat to users. Nevertheless, the company recommends that all customers reset their passwords as a precaution. To do so, visit the official Plex password reset page and follow the instructions.

To prevent fraud, Plex warns users to watch for phishing emails requesting passwords or credit card details. The company stated that it never contacts users to ask for personal or financial information, and any such email should be treated as potentially malicious.

Plex is also recommending that users enable two-factor authentication for an added layer of account security. A step-by-step guide for enabling 2FA on your Plex account is available in the company's support article.

The company has apologized for the breach and stated that it is reviewing its data security systems to prevent similar incidents in the future.

Plex experienced a similar breach in 2022, when a malicious actor accessed authentication data and hashed passwords from numerous users. At the time, the company said it had identified the cause and was working to resolve the issue securely.

Earlier this year, security researchers at CyberNews reported the largest-ever data breach, exposing over 16 billion login credentials from platforms including Google, Facebook, Apple, and even some government services. Other major companies reporting breaches in 2025 include Coca-Cola, Hertz, Allianz Life, Aflac, and TransUnion.

Image credit: Wesley Fryer

Permalink to story:

Plex suffers major data breach, urges users to reset their passwords

 
Lol @ protected by hashes… that just means that maybe 1% are protected - programs have existed since JTR to crack those…

I’m guessing that virtually all users are affected…. If you have a free account, I suggest making a new one (and deleting the old one).

If you paid for the plex pass, change your PW ASAP and hope Plex safeguards your info…
 
I never got the email but members of my family did.

Reset my password, already had MFA, and signed out of all devices, I had to re-take my server as it also signs you out of that.
 
  • Like
Reactions: Kourgath223
Thankfully those who saw this coming a couple of years ago and jumped ship to instead run a completely open source private stack will suffer zero issues.

Tired of getting bit by the greed of others? Remove them from your life.
 
  • Like
Reactions: TheBigT42, Black Paper and brucek
Luckily I don't subscribe to anything so no personal details, only have a password to use Plex server, but will reset tonight.
 
Squid Surprise said:
Lol @ protected by hashes… that just means that maybe 1% are protected - programs have existed since JTR to crack those…
Click to expand...

You are referring to hashing techniques not suitable for passwords (like MD5, or SHA). With correctly hashed passwords (such as bcrypt with a high work factor), it could take years to crack just 1 password. It's computationally too expensive to bother with, especially considering the person may have changed his password years before you cracked it. Quantum computing might change this.
 
  • Like
Reactions: MaestroIT
Sadly Plex is the only service that works for me. JellyFin, Emby and others don't work that well for some reason so I'm stuck with Plex, sadly.
 
  • Like
Reactions: MaestroIT
whateversa said:
You are referring to hashing techniques not suitable for passwords (like MD5, or SHA). With correctly hashed passwords (such as bcrypt with a high work factor), it could take years to crack just 1 password. It's computationally too expensive to bother with, especially considering the person may have changed his password years before you cracked it. Quantum computing might change this.
Click to expand...
Not if you’re using word lists… and your password is on one of them - which applies to almost every password…
 
  • Like
Reactions: TheBigT42
NumberNine said:
Thankfully those who saw this coming a couple of years ago and jumped ship to instead run a completely open source private stack will suffer zero issues.
Click to expand...
What are the alternatives? do they run on a firestick? do they access NAS devices? does it require a unix OS?
 
Liranan said:
Sadly Plex is the only service that works for me. JellyFin, Emby and others don't work that well for some reason so I'm stuck with Plex, sadly.
Click to expand...
That probably won't change until two things happen: Plex truly and completely kills their self-hosting capabilities (this will likely happen at some point, imo); and JellyFin & Emby devs consolidate under one project.

Both JellyFin and Emby have a fair bit of work, and I suspect each could make use of the other's devs. Consolidating the work would probably be best... but who knows if dev egos would allow that.
 
mbrowne5061 said:
That probably won't change until two things happen: Plex truly and completely kills their self-hosting capabilities (this will likely happen at some point, imo); and JellyFin & Emby devs consolidate under one project.

Both JellyFin and Emby have a fair bit of work, and I suspect each could make use of the other's devs. Consolidating the work would probably be best... but who knows if dev egos would allow that.
Click to expand...
Yesterday I tried to install Emby in Mint and it failed. I tried two different versions of Mint and both yielded the same results.
 
candle86 said:
Word lists don't care about the hash anyway, and anyone dumb enough to use the top 500 common passwords deserves what happens.
Click to expand...
Word lists can contain ANY password that has been previously exposed in any leak... some have MILLIONS of usernames/passwords.

The complexity of your password won't help you - only fluke lukc in that the websites/companies you've registered for haven't had any leaks - which is vanishingly small these days...
 
mbk34 said:
What are the alternatives? do they run on a firestick? do they access NAS devices? does it require a unix OS?
Click to expand...

If you never plan to watch away from home, SMB share with Kodi clients, simple as. If you want to watch from anywhere, run Jellyfin as your media server and enjoy its various clients.

I don't know what runs on a firestick. My streaming boxes are custom as well running LibreELEC. I went full scorched earth last year to completely insulate myself from any decisions made by the major players and retain total control, forever.
 
NumberNine said:
If you never plan to watch away from home, SMB share with Kodi clients, simple as. If you want to watch from anywhere, run Jellyfin as your media server and enjoy its various clients.

I don't know what runs on a firestick. My streaming boxes are custom as well running LibreELEC. I went full scorched earth last year to completely insulate myself from any decisions made by the major players and retain total control, forever.
Click to expand...
Even if Plex disappeared tomorrow, you'd still have your entire media library... just a matter of installing a different server/client....
 
How many times does this kind of thing have to happen before companies and governments employ proper server-side security and encryption?

Squid Surprise said:
Even if Plex disappeared tomorrow, you'd still have your entire media library... just a matter of installing a different server/client....
Click to expand...
Exactly. Plex is a convenience, not a necessity. I've only used Plex twice and was not impressed both times.
 
You must log in or register to reply here.

Similar threads

Daniel Sims
Battlefield movie reportedly in the works with Christopher McQuarrie and Michael B. Jordan
Replies
6
Views
83
toooooot
T
Daniel Sims
Steam delivered 100 exabytes of data last year, about 274 petabytes per day
Replies
4
Views
146
Theinsanegamer
T
Daniel Sims
Microsoft's next Xbox could get Asus and MSI variants, leaker claims
Replies
7
Views
91
havok585
havok585

Latest posts

Back