In an email sent to its users, Plex has revealed that a cybercriminal accessed some customer data, including emails and encrypted passwords.
From the email that was sent out by the Plex security team:
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
What to do
Plex advised all customers to reset their passwords immediately. While doing that, it asked customers to make sure the checkbox “Sign out connected devices after password change” is ticked. This will sign out all of your devices and require you to sign back in with your new password.
It’s also worth making sure you have two-factor authentication set up on your account to add an extra layer of security.
Some users experienced some problems following the instructions provided by Plex. Here’s this from Troy Hunt of “Have I been pwnd?”:
Apparently it helps to uncheck the recommended “Sign out connected devices after password change” option and the password change will work.
If you have reused your Plex login credentials elsewhere, you will want to change the passwords on those sites and services as well, since there is a chance that they will end up in a database for sale on the Dark Web.
If you are having trouble keeping track of all the different passwords, we advise using a password manager.
Also be wary of phishing mails that may or may not be targeted at Plex users. Exfiltrated email addresses like these have a tendency to surface in phishing campaigns.