Plex reveals data breach, recommends immediate password change for all users
Plex, the popular home media server software, has today revealed a data breach affecting some of its users’ personal data. The company has been sending out emails to alert users to what’s happened and what they should do next.
Fortunately, no credit card information has been compromised. But the bad actors have compromised their systems and data including email addresses, usernames, and encrypted passwords.
Here’s an excerpt from the email that hit my inbox.
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
So, the good news is that your password should be safe since Plex doesn’t do anything silly like store it in plain text. But out of caution, if you have a Plex account, you should definitely go and create a new, strong password for it right now. And never re-use your passwords across different services.
When changing your Plex password there is also a checkbox to log out of any connected devices and services. You should ensure this is checked, then go and log back into any of your Plex media servers. It’s an extra step, but it’s recommended whenever you change your password. And definitely in this instance.
It’s unfortunate that this happened but it’s also commendable that Plex has been swift to act and inform its customers. Sadly that’s not always the way. There’s no indication any serious damage has occurred, but an abundance of caution is never a bad thing.