this post was submitted on 08 Sep 2025
787 points (99.5% liked)

Technology

74980 readers
2828 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
787
Plex got hacked. (forums.plex.tv)
submitted 1 day ago by als@lemmy.blahaj.zone to c/technology@lemmy.world
291 comments fedilink hide all child comments
 

We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.

What happened

An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.

Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.

What we’re doing

We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.

What you must do

If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.

If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

Additional Security Measures You Can Take

We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.

Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.

For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset

you are viewing a single comment's thread
view the rest of the comments
[–] priapus@piefed.social 2 points 1 day ago* (last edited 1 day ago) (1 children)

If you believe the threat of a company scanning a Jellyfin server in an attempt to find copyrighted media is a realistic one, then that's fine. I do not.

your more worried about the data that secures your media more than the actual security of the media?

As I said previously, friends and family use my server. Many who are likely to fall for phishing attempts after their email is leaked in a breach like this. I believe the likelihood of them receiving a malicious email from an attacker pretending to be Plex after a breach is much higher than a company successfully scanning my server for copyrighted materials.

Edit:

Like I've said a few times. I agree that this should be changed. I do very much hope that Jellyfin does so, and I do feel that it's worth warning users about. I also still find Jellyfin to be a better option for me than Plex. My own risk tolerance allows for the incredibly tiny possibility a company successfully finds media on my server.

There is no point in continuing this discussion, as we simply disagree, and that is not going to change here.

[–] Saik0Shinigami@lemmy.saik0.com 1 points 1 day ago

So now your users could be phished by a Plex phish... which gets the attacker access to your plex instance upon success? But you already said that you don't find that worth securing since in JF it's not secure by default... I'm fully not understanding here. Is the worry that your users are reusing passwords?

Any user for your system getting an actual phish for plex will at worst get a request to pay for something. Of which I bet they'd talk to you about it as the server owner first since I doubt anyone would want to pay for something you've given them for free.

I'm not seeing the risk here. Want to expound on that? I can clearly see the risk of direct media access if copyright holders start making random claims for things they find on default insecure servers.