Plex has reportedly been breached by an unknown third party that accessed a subset of the streaming company’s data including people’s emails, usernames and hashed passwords. The company admitted the breach in a letter sent to the affected users and stated that it had already addressed the issue.
The company started an investigation immediately after noticing suspicious activity on one of its databases. While they were able to revoke the attacker’s access, Plex hasn’t revealed the attack method or the vulnerability that the attacker exploited to gain access and is doing additional reviews to ensure something like this doesn’t happen down the road.
According to the company, the password change requirement is out of an abundance of caution rather than a preventive measure, assuring users that it doesn’t store credit card information or any other payment data for that matter in its server, meaning the threat actor didn’t have any access to them.
While the number of impacted users hasn’t been announced, Troy Hunt, creator of the Have I Been Pwned service was also affected and received a notification from the company. Hunt pointed out in his tweet about the situation that while there isn’t a lot we can do as subscribers to avoid getting caught out by such breaches (short of not using the service), using password generators and multi-factor authentication can help reduce the risk to a minor inconvenience.
Several users on Twitter have also reported getting internal server errors when trying to change their passwords as required by Plex, including Hunt himself. While there’s no word from Plex on the issue just yet, it seems like not signing out of connective devices seems to let the password change go through. Plex did include a password reset guide in its notification, but it doesn’t seem to cover this error either.