On August 24, Plex sent an email to its users warning them that it had detected suspicious activity on its servers. The company believes that user emails, usernames, and encrypted passwords were accessed and so it’s now taking the precautionary step of requiring that all of its customers reset their passwords. This will be required on all Plex client software as well as any Plex servers that folks may be running to manage their media.
In the email that was sent out, Plex management wrote:
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
According to the company, it has already begun an investigation into the unauthorized access and that the method used to gain entry to Plex’s servers has been “addressed,” though it’s not clear whether the method was due to unpatched software, a zero-day exploit, or something more fundamental, like an internal breach of security.
Plex further said that it is “doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions.”
For now, Plex’s guidance for its users is to simply undertake an account password reset, a roughly seven-step process. After doing this, you’ll need to sign back in on any Plex software you use, whether on a smart TV, streaming device, or any other hardware you use to access Plex.
Unfortunately, the sheer number of Plex users who have to go through this process seems to be causing outages and errors. Many Plex users have reported problems on Twitter when trying to change their passwords or emails. I didn’t have a problem with that step, but when I attempted to log back in using the new credentials on my Nvidia Shield TV, I couldn’t do so.
Hopefully these issues will iron themselves out soon as Plex gets a better handle on the sudden demand on its infrastructure.