On August 24, Plex sent an email to its users warning them that it had detected suspicious activity on its servers. Without knowing exactly what user data might have been accessed, the company is taking the precautionary step of requiring that all of its customers reset their passwords. This will be required on all Plex client software as well as any Plex servers that folks may be running to manage their media.
In the email that was sent out, Plex management wrote:
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
According to the company, it has already begun an investigation into the unauthorized access and that the method used to gain entry to Plex’s servers has been “addressed,” though it’s not clear whether the method was due to unpatched software, a zero-day exploit, or something more fundamental, like an internal breach of security.
Plex further said that it is “doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions.”
For now, Plex’s guidance for its users is to simply undertake an account password reset, a roughly seven-step process. After doing this, you’ll need to sign back in on any Plex software you use, whether on a smart TV, streaming device, or any other hardware you use to access Plex.