Has Plex been hacked? What should you do if your credentials might be in the hands of hackers? Here’s what you need to know.
Plex users, who employ the service to manage and stream their media libraries at home, need to change their passwords as soon as possible, due to a data breach dumping the credentials of users into the hands of a third party.
What Is the Plex Data Breach?
Account holders were alerted to the breach by email early Wednesday August 24, 2022, a day after the Plex security team noticed suspicious activity in their database. According to the organization, the third party was able to “access a limited subset of data that includes emails, usernames, and encrypted passwords.” The statement further explained:
“Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset”
For those not in the know, Plex makes it easy to self-host a complete media center on their own hardware, and stream music, movies, shows, and live TV to other devices through a web browser and dedicated apps.
Unlike other self-hosted media server software, such as Jellyfin, Plex requires that users create an account, with credentials being stored by the organization. Authentication is also handled by Plex central rather than by the user’s own server.
While it’s extremely unlikely that hackers can make any use of the stored passwords, Plex is both “requiring” and “kindly requesting” that every user immediately reset their password and take extra security precautions.
What You Need to Do After Plex Was Hacked
Changing passwords is the common sense way for users to secure their Plex account. You will also need to sign out of all connected devices and then log back in. Plex also suggests and requests that you enable two-factor authentication on your Plex account.
Although payment methods are never stored on Plex servers, and your passwords are probably safe because they were encrypted, it’s worth noting that the security email did not state that usernames and email addresses are protected in any way. Attackers can do a lot with your email address, so if you use that email address for any other service, it’s worth changing it. You could also look into some kind of aliasing solution for sign-ups and logins.
And though we advise that no one uses the same password on multiple services, we also know that the vast majority of people do anyway. Consider that password compromised. So if you reuse it on any other account, you should change it there too.
Data Breaches Happen All the Time
Plex is certainly not the first company or organization to declare a data breach over leaked email addresses, usernames, and hashed passwords, and it won’t be the last. Make sure you take care of your credentials and regularly check them against databases such as HaveIBeenPwned.