A Plex data breach has exposed usernames, email addresses, and encrypted passwords. The scale of the security failure is not yet known, but the company is requiring all users to change their passwords.
The issue was compounded by Plex servers not having sufficient capacity to cope with the number of users attempting to do so, and a series of other problems …
Plex this morning emailed all users to advise them that a third party was able to access “a limited subset of data,” but did not reveal how many accounts were affected.
We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
We’ve already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we’re requiring all Plex users to reset their password.
Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there’s a checkbox to “Sign out connected devices after password change.” This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password here.
As the time of writing, password changes were not being forced. However, some of those attempting to do so report that they have been unable to do so.
“Can’t change password due to internal server error”
“I went ahead and logged into my account to change my password. Thing is, that didn’t work. I tried a few times, but when I submit the change password form hangs in there with a spinning icon for about 30 seconds, then I get ‘Internal Server Error. Something went wrong on our end.'”
“I also get an internal server error (500) response when trying to use the password reset feature and sign out of all connected devices.”
Other users have been able to change their passwords, but are experiencing other difficulties when logging in again. A number of users report getting “Not authorized” or “You do not have access to this server” messages for their own servers. Some report success when logging in and claiming the server again, though others have had no luck with this.
It appears Plex has not arranged sufficient additional bandwidth to cope with the flurry of password change attempts. Additionally, the password reset page asks for the new password before the existing one, which is obviously unexpected and may account for some of the failures.
Plex recommends enabling two-factor authentication within your account settings. Note that you can only do this if you registered with your email address – if you used Google or another account to register, 2FA is not available.
The company offered its apologies for the Plex data breach, and said that it is reviewing its security.
If you’re unable to change your password or access your account, it’s worth waiting a few hours and then trying again (assuming you use strong, unique passwords so that a breach wouldn’t allow access to any of your other accounts).
Plex last got into trouble back in April, when a Universal Watchlist feature was found to provide a means for children to watch restricted content.
FTC: We use income earning auto affiliate links. More.
Comments