Streaming media platform Plex sent out an email to its customers earlier today notifying them of a security breach that may have compromised account information, including usernames, email addresses, and passwords. While Plex’s message says “all account passwords that could have been accessed were hashed and secured in accordance with best practices,” it is still advising all users to change their passwords immediately.
Plex is one of the largest media server apps available, used by around 20 million people to stream video, audio, and photos they upload themselves in addition to an increasing variety of content the service provides to paid subscribers.
“A third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords”
The email states, “Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.” There is no indication any other personal account information has been compromised, and there’s no mention of access to private media libraries (which may or may not include pirated content, private nudes, and other sensitive content) having been accessed in the breach.
Plex’s email also reassures customers that financial information appears to be safe despite the breach, stating, “credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.”
The cause of the breach has been found, and Plex says it has taken action to prevent others from taking advantage of the same security flaw. “We’ve already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions.”
“We’ve already addressed the method that this third-party employed to gain access to the system”
If you have a Plex account, you should take steps to secure it immediately, following these instructions provided by the company. You should also enable two-factor authentication if you haven’t already. Plex puts the two-factor authentication option under your Account page.
Additionally, you should be using either a free or paid password manager to easily manage unique, difficult-to-guess passwords and 2FA codes across all your apps, services, and sites. Web browsers such as Google Chrome, Microsoft Edge, and Safari have decent built-in options these days, though dedicated services are also available from the likes of Bitwarden, 1Password, and LastPass. Some password managers will alert you to passwords that have been breached online and autofill passwords when prompted by apps and websites on your desktop and phone.
Update August 24th, 10:14AM ET: Updated clarify that while passwords were included in the data that was potentially accessed, Plex claims they were “hashed and secured in accordance with best practices.”