The Plex media streaming platform is sending password reset notices to many of its users in response to discovering unauthorized access to one of its databases.
According to the letter that a reader shared with BleepingComputer, the intruder potentially accessed a limited subset of data, including email addresses, usernames, and encrypted passwords.
“Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution, we are requiring all Plex accounts to have their password reset,” claims Plex’s notice.
“Rest assured that credit card and other payment data are not stored on our servers at all, and were not vulnerable at this incident”.
Plex claims that it has identified the means by which the third-party accessed the database and addressed the problem to harden its systems and prevent similar incidents from re-occurring in the future.
Troy Hunt, creator of data breach monitoring service ‘Have I Been Pwned’ also found himself among the impacted users.
At this time, the impact of the incident and the password reset action hasn’t been specified by Plex, but the internet company characterized it as “limited”.
BleepingComputer has contacted Plex requesting more information on that front, and we will update this post as soon as we hear back from the firm.
Some user reports indicate that the problem doesn’t impact free accounts, so it may be that only paying accounts have been affected. Still, this hasn’t been verified yet.
Meanwhile, the Plex.tv website experienced an outage today and is down at the time of writing this. Plex status page acknowledges the problem and says it’s investigating on the cause.
It is unknown if this outage is related to the unauthorized database access, or if it’s a separate DDoS (distributed denial of service) attack that targets the platform.
The password reset isn’t enforced via automatic sign-outs, so those who don’t log out of their accounts on existing devices may continue using Plex, but encounter media collection access issues.
Moreover, several users report getting “internal server errors” when trying to update their account password, which adds friction (and irritation) in the process.
It is recommended that you follow Plex’s instructions on resetting your password immediately to minimize the chances of account takeover.
Additionally, if you might be using the same credentials on other websites, you should reset your passwords there too.
Not doing so might make you vulnerable to credential stuffing attacks where malicious actors use stolen username+password pairs to try and log in on various websites.
Remember, encryption doesn’t make passwords uncrackable either at present or in the future, as that depends on the type of algorithm used for securing the stored passwords. Plex doesn’t define that detail in the sent letter.
To further reduce the chances of account takeovers on any online platform you’re using, activate MFA (multi-factor authentication) if the option is available.
Plex users can add a 2FA (two-factor authentication) step in their login process for additional account security by following the instructions here.
Update 8/24: Several readers pointed out to BleepingComputer that the password reset isn’t forced by Plex, and users who attempt to sign in using their old credentials aren’t prompted to perform a password reset.