Security Experts:

Plex Confirms Database Breach, Data Theft

Popular streaming media platform Plex is scrambling to reset user passwords after a database hack that included the theft of emails, usernames, and encrypted passwords.

Plex, a California company that runs a streaming media service and a client-server media player platform, confirmed that a third-party “was able to access a limited subset of data” from a compromised database.

The company is urging all Plex users to immediately reset account passwords and log out of all devices connected to its service.

From the Plex notification:

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. 

The company said credit card and other payment data are not stored on its servers and were not vulnerable or compromised in this incident.

[ READ: Apple Patches New macOS, iOS Zero-Days ]

Plex did not provide details on the database hack or whether any software vulnerabilities were exploited.

“We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions,” the company said.

“While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.”

In addition to immediate password resets, Plex is recommending that users tick off the checkbox to "Sign out connected devices after password change." 

“This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security,” the company said.

Related: Twilio Hacked After Employees Tricked Into Giving Up Login Credentials

Related: Media Streaming Company Plex Hacked, Blackmailed

Related: Plex Media Server Abused for DDoS Attacks

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.