783
Plex got hacked. (forums.plex.tv)
submitted 1 month ago by als to c/technology@lemmy.world
136 comments fedilink hide all child comments

We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.

What happened

An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.

Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.

What we’re doing

We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.

What you must do

If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.

If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

Additional Security Measures You Can Take

We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.

Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.

For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset

top 50 comments
sorted by: hot top controversial new old
[-] JasonDJ@lemmy.zip 456 points 1 month ago* (last edited 1 month ago)

  • admitted the issue immediately

  • reassured users as to actual scope of breach, probable risk

  • provided recommended actions for users who think they may be impacted.

  • explained best-practices (enough for a laymen's audience) and how they limited scope and impact.

  • did not deflect blame

My god....I've got to hand it to plex. This is the perfect incident response letter. Love 'em or hate 'em, this is a good example for other CISOs.

[-] Gutless2615@ttrpg.network 52 points 1 month ago* (last edited 1 month ago)

I mean I don’t understand the accolades for literally just following the law.

[-] scratchee@feddit.uk 79 points 1 month ago

You can follow the law and still screw up the response/announcement pretty badly, and so many do not even manage that much.

So yeah. It’s satisfying when someone acts both professionally and conscientiously in a situation like this.

[-] 8uurg@lemmy.world 16 points 1 month ago

Yeah, even if it is the law, companies do tend to fall short of adhering to said law. For example, a lab that does cancer screening got hacked and pretty much messed up their entire response.

[-] Cocodapuf@lemmy.world 11 points 1 month ago

Yeah, I have to agree. When a breach occurs (and it happens to just about every organization at some point or another) a press release this honest, responsible and immediate is not really the norm. I see this as a show of competence on the security front and integrity for the company as a whole.

I do wish Plex wasn't further enshitifying their product more with every release, but that's a different issue.

[-] lazynooblet@lazysoci.al 11 points 1 month ago

They didn't provide any real timelines, unless I missed something. Trust me bro, we shut it down real fast.

[-] kbobabob@lemmy.dbzer0.com 10 points 1 month ago

I don't understand what the difference would be. The damage is done and they notified people of those damages.

[-] lazynooblet@lazysoci.al 11 points 1 month ago

Well, if it said "The attacker gained access to systems in October 2023 and we patched out the vulnerability during March 2025," you'd be asking why it took so long to discover the intrusion and why they didn't let us know for six months?

[-] kbobabob@lemmy.dbzer0.com 10 points 1 month ago

Well, if it said...

It didn't

load more comments (1 replies)
load more comments (4 replies)
[-] Grandwolf319@sh.itjust.works 205 points 1 month ago

Man. My decision to go with Jellyfin just keeps paying off more and more

[-] aeternum 13 points 1 month ago

jellyfin is goated. Long live jellyfin!

[-] thelittleblackbird@lemmy.world 9 points 1 month ago

Y hope you know how to harden jellyfinn, because they are not better than plex team....

[-] Waryle@jlai.lu 11 points 1 month ago* (last edited 1 month ago)

My Jellyfin is behind a Crowdsec + Cloudflare proxy with geoblocking and other protections + Reverse Proxy with additional protections, in a rootless Docker container with no access to the Docker socket, and has only access to a mounted folder which contains just downloaded movies and shows. The effort to break in is high, the reward very low.

But the most important difference between Jellyfin and Plex is that neither Jellyfin devs nor Jellyfin instances have any personal or credit card information from their users, and therefore are way less a problem if hacked into.

load more comments (13 replies)
[-] daniskarma@lemmy.dbzer0.com 9 points 1 month ago

Jellyfin dev team is not in charge of your self hosted security though. You know what you are getting, source code available, and it's up to you setting the security.

load more comments (4 replies)
load more comments (4 replies)
[-] MaggiWuerze@feddit.org 9 points 1 month ago* (last edited 1 month ago)

Good luck getting a similar reaction to the myriad of security issues Jellyfin has

[-] VeganCheesecake 14 points 1 month ago

Yeah, but you can run jellyfin with local accounts, entirely within a VPN. Pretty much makes most security issues irrelevant.

[-] MaggiWuerze@feddit.org 9 points 1 month ago

Which is the exact mindset that enables Jellyfin devs to not fix those issues, congratulations

load more comments (5 replies)
[-] ayyy@sh.itjust.works 147 points 1 month ago

I harbor a strong dislike for the profiteers at Plex but their security incident response is textbook correct. Good job security dudes! The rest of your stupid company should listen to you more often.

[-] skisnow@lemmy.ca 33 points 1 month ago

It shows how low the bar is, that just bare bones complying with GDPR notification requirements so as not to risk a €20M fine, is enough to make people talk about how good a job you did.

[-] reptar@lemmy.world 19 points 1 month ago

As I slide the needle from "strongly dislike" to "not a fan".

Good on em

[-] fmstrat@lemmy.nowsci.com 13 points 1 month ago

Overall I agree, but not requiring users to change password when the hashes were taken is a bit too soft IMO.

It will also be interesting to see if they make a public disclosure about the specifics of who and how. They also don't specifically define if media watched data was included or excluded.

Either way, happy I migrated to Jellyfin.

[-] kuberoot@discuss.tchncs.de 11 points 1 month ago

I do think they missed a bit about password reuse, since they tell you to reset the password on their site, you should be changing the password on any other sites where you reused it. But yeah, not arguing about it being good otherwise.

load more comments (9 replies)
[-] bigkahuna1986@lemmy.ml 105 points 1 month ago

I guess I'm going to find out if they really deleted my user data when I asked them to

load more comments (4 replies)
[-] CriticalMiss@lemmy.world 88 points 1 month ago

Jellyfin advertisement 🤷‍♂️

[-] BackgrndNoize@lemmy.world 14 points 1 month ago* (last edited 1 month ago)

Stuff like this can happen to any app, developers are only human, shit happens. A bigger company is a bigger target for hackers, so there is some saftey in an open source app that's not as popular, but then again a bigger company also has more resources to monitor for security breaches and quickly address them and push out a hot fix, can't say I know how this works for free open source apps

[-] Sneptaur@pawb.social 17 points 1 month ago

I think the point here is that Jellyfin doesn't have a centralized login or website like Plex does. An attacker would have to know about your server and log into it directly to get access. If you run it in a container, there isn't a lot they can do other than trashing your media library, which you should have protected with filesystem snapshots anyway.

load more comments (2 replies)
load more comments (3 replies)
[-] johnwicksdog@aussie.zone 68 points 1 month ago

I think that’s a pretty good response. More details will probably emerge in the next few days that could change my mind, but for now that gives me a bit of confidence in their platform.

In comparison, a few years ago I was a patient at an IVF clinic in Sydney. I saw some absolutely bonkers security and repeatedly raised it with them. They wouldn’t hear it, and almost expectedly they were hacked and now my sperm count is public information. Their response was delayed and appalling. If my medical records were treated a severely as a streaming platform, I would have been happy.

[-] toxuin@lemmy.ca 62 points 1 month ago

Keep in mind that the only reason they deny you the ability to log in to your own local service with your own local sign-in method is that they may upsell you on their cloud junk. If there’d be no cloud account involved - your data would not be at risk and/or leaked. They endangered your privacy for marketing purposes.

If you have not moved off of Plex - do it now. This company is fully rotten.

The email they sent out has reply-to address that conveniently does not work…

load more comments (1 replies)
[-] ngwoo@lemmy.world 23 points 1 month ago

Glad I never gave Plex any payment details, don't reuse passwords, and don't plan on using it any more so I can just ignore this

[-] hackitfast@lemmy.world 9 points 1 month ago

I bought a lifetime subscription years ago, and even if the payment method got decrypted, it's well expired. Not to mention I haven't had a Plex server running for ages.

load more comments (1 replies)
load more comments (1 replies)
[-] moseschrute@lemmy.world 23 points 1 month ago* (last edited 1 month ago)

I’m not a security expert, but password hashing is mostly to slow down someone from getting all the passwords. You can’t reverse the hash, but you can generate hashes until you find a match. When hashing, you can dial in how much compute it would take someone to try and solve all the hashes in your database. If you used a good password, it will be more difficult to solve your hashed password. But it’s best to change your password as Plex suggests.

So it depends on how secure a password is and how strong of hashing Plex used when storing the hashed passwords. I have no idea if this is like a “this will take a year” or “this will take a billion years” to solve all the hashes. More compute also means you can solve the hashes faster. Maybe someone with a security background could chime in.

[-] mic_check_one_two@lemmy.dbzer0.com 22 points 1 month ago

You can’t reverse the hash, but you can generate hashes until you find a match.

That’s called a rainbow table attack, and that’s why you should salt your hash. This salt basically appends a unique string of characters to every password before it goes into the hash. Let’s say your users are dumb and use “password” for their password. If a hacker has pre-generated a rainbow table, (which is extremely time and resource intensive), then they’ll instantly crack that as soon as they get a match on those common passwords. Even if they haven’t generated a rainbow table, they can just look for identical hashes and guess that those users are using common passwords.

But if you salt it, it’ll slow the hackers down drastically by invalidating their pre-generated table. Each user has their own salt stored alongside the username and hash, so User 1’s hash actually saw “password19,jJ03pa5/-@“ while user 2’s hash saw “passwords)205JrGp02?@-“. Because each of their salts are unique, their resulting hashes are unique too. Even though they used the same password. Now the hackers need to crack the hash for each user, by incorporating the existing salts for each user. They’ll start with the weak and common passwords first, which is why it’s still best practice to use strong passwords. But they can’t actually start the rainbow table process until after they have hacked the info, and they’ll need to create fresh tables for every single user.

[-] ClanOfTheOcho@lemmy.world 8 points 1 month ago

Best explanation of salt I've ever seen. Thanks!

load more comments (1 replies)
load more comments (4 replies)
[-] NewNewAugustEast@lemmy.zip 20 points 1 month ago* (last edited 1 month ago)

Can someone finally realize we need to hash the emails too? I don't really give a fuck about my passwords, I can change them and they have 2fa.

But changing my email? Pain in the ass and far more irritating to deal with.

Edit: late Nate, I meant encrypted.

[-] Jason2357@lemmy.ca 13 points 1 month ago

Then how would they email you?

Look at addy.io and similar.

[-] some_kind_of_guy@lemmy.world 11 points 1 month ago

Ideally, they wouldn't

load more comments (6 replies)
load more comments (3 replies)
[-] ipkpjersi@lemmy.ml 19 points 1 month ago

I think you mean Plex got hacked AGAIN

lol

[-] boonhet@sopuli.xyz 19 points 1 month ago

Hope they did actually delete my data when I deleted my account, but I don't think I use that password anywhere anymore anyway.

load more comments (1 replies)
[-] Matty_r@programming.dev 16 points 1 month ago

This isn't the first time they've been breached, there was an incident in 2015 and 2022 as well. From what I can gather its the same info being gathered each time.

There might be others but I can't find th at the moment.

load more comments (3 replies)
[-] BrianTheeBiscuiteer@lemmy.world 16 points 1 month ago

Easiest decision to delete an account I've ever made.

[-] ramjambamalam@lemmy.ca 15 points 1 month ago* (last edited 1 month ago)

They say that passwords are hashed but were they salted?

[-] inclementimmigrant@lemmy.world 11 points 1 month ago

End of the day does it even matter? They've gotten a ton of other information including authentication data which is probably just as, if not more, useful/lucrative to them.

From another source:

Server owners will also have to claim their server again and possibly update it, as Plex has also announced that it had “made adjustments” that will temporarily prevent “regular” users from connecting to any Plex server they have been granted access to.

The reason given is that too many Plex Media Server instances have yet to be updated to version 1.42.1, which contains a fix for a vulnerability (CVE-2025-34158CVE-2025-34158) that could be exploited remotely by authenticated users to gain access to the server and tamper with it and the data on it.

load more comments (1 replies)
load more comments (2 replies)
[-] ArmchairAce1944@discuss.online 10 points 1 month ago

This is why I barely trust any streaming platform... I mean I try to not use my 'real' email for anything (and I stupidly linked my other emails to it on my phone, so Google basically knows it even if they dont have direct access to the inboxes).

There is so much shit being hacked that the idea that rhat any information we put out there isn't already available on the darkweb is stupid. Even some AI camera surveillance company has said that they built their database in part based on information they bought from the darkweb (I need to get the source again).

And I rarely hear about those same hackers getting caught. Its almost like they have it down to a T and it is simply too profitable and the chances of getting caught are too minimal to care. And this shit is continuing despite all the legislation being passed to monitor more and more internet activity, which makes me think if any of it will even work?

It is still rare that someone truly criminal is caught because of some internet searches. Most data is collected from confiscated computers and if they simply deleted their browsing history and used a basic file shredder to wipe their free space they would not be able to recover anything.

[-] Patches@ttrpg.network 9 points 1 month ago* (last edited 1 month ago)

If you have Synology using DSM style install

Here is how to "claim" or login to your server that it logs you out of.

https://forums.plex.tv/t/synology-faq-questions-answers-and-how-tos/490215/39

Tldr; Uninstall but keep files. Reinstall using the existing files and a newly token.

Sure would've been nice to know this 2 hours ago.

[-] Zink@programming.dev 8 points 1 month ago

I'm sure Plex has some great engineers, and Plex's infrastructure is far more hardened and secure and reliable than my Jellyfin server.

But they are a way way more likely target, and Jellyfin still performs far better and doesn't try to sell shit to my family members.

load more comments (3 replies)
[-] wreckedcarzz@lemmy.world 7 points 1 month ago

I received this email, but two of my users who have their own accounts (not just profiles on my account) did not receive this. Thinking only server owners were affected?

load more comments
view more: next ›
this post was submitted on 08 Sep 2025
783 points (100.0% liked)

Technology

76365 readers
935 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws