Article Details

What the Plex? Streaming service suffers yet another password spill. For the third time in a decade. Streaming platform Plex is warning some users to reset their passwords after suffering yet another breach. The popular media server provider, which people definitely use only for legitimately downloaded content, said in an email to customers, seen by The Register, that emails, usernames, and securely-hashed passwords were potentially stolen. "Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party," the email reads. "Out of an abundance of caution, we recommend you immediately reset your password by visiting https://plex.tv/reset. Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident." The notification may leave longtime Plex customers with a sense of déjà vu, given that its previous unauthorized intrusions in 2022 and 2015 both involved the theft of hashed passwords. According to HaveIBeenPwned, the 2015 breach, which exposed more than 327,000 accounts, was especially concerning because of the weak implementation of salted hashes, one that left passwords open to rapid cracking. The full details of the latest attack were not revealed, such as the number of accounts affected, but the same data types were affected as in the 2022 incident. Plex said it believes that the impact of the breach is "limited," and that it has already addressed the method the attacker used to break into its database. The email added: "We're undergoing additional reviews to ensure that the security of all of our systems is further hardened to prevent future attacks." Customers were prompted to reset their passwords and enable a setting in their accounts that logs them out of connected devices when that change takes effect. "We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments," the company said. "For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven't already done so. "Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring." According to customers who spoke to The Register, and reports on social media, not all Plex users have received the email notification, suggesting that the breach is limited to select users only. We asked Plex for more information, including why only some customers were contacted, but it had not responded at the time of publication.