Plex tells users to reset passwords after new data breach
Media streaming platform Plex is warning customers to reset passwords after suffering a data breach in which a hacker was able to steal customer authentication data from one of its databases.
In a data breach notification seen by BleepingComputer, Plex says the stolen data includes email addresses, usernames, securely hashed passwords, and authentication data.
"An unauthorized third party accessed a limited subset of customer data from one of our databases," reads the Plex data breach notification.
"While we quickly contained the incident, information that was accessed included emails, usernames, and securely hashed passwords."
"Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party."
Plex has not shared what hashing algorithm was used, raising the possibility that attackers could attempt to crack the passwords.
Therefore, Plex recommends that users, out of an "abundance of caution," reset their password at https://plex.tv/reset and also enable the "Sign out connected devices after password change" option when doing so.
This will reset your password and log out any existing connections utilizing your own credentials. However, this will also require you to log in again on any devices using those credentials.
For those using SSO to log in to Plex, the company recommends you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says" Sign out of all devices". Once again, you will need to log back into devices using your credentials.
The company is also reminding users to enable two-factor authentication for added protection and stresses that it will never ask for passwords or credit card details over email.
Plex says no payment card information was included in the breach, as it's not stored on its server.
The company says it has addressed the method used to breach its server, but did not share any further technical details about the attack.
BleepingComputer contacted Plex with questions about the breach and will update the article if we hear back.
This is not the first time Plex users have been forced to reset their passwords due to a data breach.
In August 2022, Plex suffered an almost identical data breach, with authentication data and hashed passwords exposed in the attack.
