What just happened? If you're one of the 13 million or so people who actively use Plex every month, you should probably change your password as soon as possible. That's what the company is advising after it discovered suspicious activity in one of its databases and found a third party had accessed a subset of data that included emails, usernames, and encrypted passwords.
The streaming media service/media player sent an email out to users earlier today (August 24) informing them of the intrusion. Plex does emphasize that all passwords were hashed and secured in accordance with its best practices, but it still recommends users reset them out of an abundance of caution and sign out of all their devices. Plex says changing the password is a requirement, though some users say they aren't being forced into this action—at least not yet.
Plex also notes that no credit card information or other payment details were accessed as these are stored on a separate server, so they're safe. It adds that while the perpetrator has not yet been identified, the method used to access the database has been addressed and it is conducting additional reviews to ensure the security of its other systems is hardened to prevent similar compromises.
Aw crap, I'm pwned in a @plex data breach. Again. I can't do anything to *not* be in a breach like this (short of not using the service), but a @1Password generated random password and 2FA enabled makes this a mere inconvenience rather than a genuine risk. pic.twitter.com/XetB3IGUh3— Troy Hunt (@troyhunt) August 24, 2022
As noted by Troy Hunt, the creator of the Have I been Pwned website who was also impacted by the hack, the usual precautions are recommended to avoid the worst consequences of cybercrime: always enable two-factor authentication wherever possible and if you want to add some extra security, make sure to use password managers that store not only your credentials but also create random passwords. You might remember that the most common password of 2021 was "123456" and the rest of the top ten was just as embarrassing.
Plex also reminded customers that it will never ask for passwords or credit card information over email.
If you've never used Plex before and would like to give it a try, you can download the app for multiple devices right here.