Digital media player and streaming service Plex sent a letter to users warning that a “third-party was able to access a limited subset of data,” including emails, usernames, and encrypted passwords.
Plex said it already addressed the method the attacker used to gain access to its systems and is doing additional security reviews. Moreover, the company said it doesn’t store credit card or other payment data on its servers, and so the attacker was not able to gain access to that data. Finally, Plex says it is requiring all Plex accounts to reset passwords “out of an abundance of caution.”
However, Plex did not share what method the attacker used to gain access.
Aw crap, I’m pwned in a @plex data breach. Again. I can’t do anything to *not* be in a breach like this (short of not using the service), but a @1Password generated random password and 2FA enabled makes this a mere inconvenience rather than a genuine risk. pic.twitter.com/XetB3IGUh3
— Troy Hunt (@troyhunt) August 24, 2022
Interestingly, ‘Have I Been Pwned‘ creator Troy Hunt was “pwned” in the Plex breach. Hunt tweeted a copy of the letter along with a reminder that users can’t do anything to avoid being caught in a breach, but they can take steps to lessen the impact of breaches. For example, using a password manager to generate unique, random passwords for each account, as well as using two-factor authentication (2FA), can help mitigate the severity of security breaches.
If you use Plex, you should go change your account password now. However, it’s worth noting that several users report having issues with changing their password — per Hunt’s tweets, it seems there’s an issue with the option to sign out connected devices after changing the password. As such, anyone having issues changing their Plex password should uncheck the option to sign out connected devices as that should fix the problem.