Millions of Plex users may be at risk in password breach

Users of home media streaming service Plex have been warned to reset their passwords immediately following a breach in which an undisclosed third party was able to make off with a user dataset that included email addresses, usernames and passwords.

Service users were contacted by Plex on Wednesday 24 August after the firm discovered suspicious activity on one of its databases on 23 August. It said it believed the actual impact to have been limited, and that all accessed passwords were “hashed and secured in accordance with best practice”. However it is thought that up to 15 million of approximately 30 million users may have been affected.

“Out of an abundance of caution we are requiring all Plex accounts to have their password reset,” the firm said in an email seen by Compute Weekly. “Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.”

Plex added: “We’ve already addressed the method that the third party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions.”

The firm has directed users to its password reset guide, which can be found here, and is recommending that users consider implementing some form of multifactor authentication (MFA) protection on their accounts if they have not already done so.

It said: “We’d also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email.

“We sincerely apologise to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring.”

It is understood that the Plex service also experienced a period of downtime on 24 August, although it is unclear whether or not this was related to the incident. It was possibly caused by users accessing their accounts in great numbers. The organisation has made no further comment on the incident.

Plex got its start in the late 2000s as a freeware media centre app for Apple Mac products by developer Elan Feingold.

It has since evolved into a widely used media player system based around a client-server model that enables its users to organise their own media – such as audio, photos and video – from their PCs and online services and stream it to the player of their choice. More recently, it has branched out into offering ad-supported video-on-demand and free-to-view live television channels.

It works with multiple platforms, including Android, Apple TV, Chromecast, Roku, iOS, PlayStation, Sonos, webOS, Windows, Xbox and macOS.

Geoffrey Fisher, senior director for integration strategy at Tanium, commented: “It appears Plex has put forth a sound incident response, and what appears to be many security best practices, but suffered an additional blow due to resources issues that further crippled their system when users attempted to change credentials en masse.

“What’s interesting is the potential fallout stemming from the tech savviness of Plex’s subscriber base and how they will respond to this breach. There could be implications down the road.    

Fisher added: “Ultimately, this intrusion reinforces the seemingly age-old adage to avoid the reuse of passwords. As a call to action, users should heed the recommendation to change their Plex credentials and utilise the available MFA. 

“More importantly, they should ensure they never reuse passwords across applications or platforms. This can’t be overstated because a successful attack can happen against any organisation, so it’s important to do your part with password variations to mitigate the fallout.”