Popular streaming media platform Plex is scrambling to reset user passwords after a database hack that included the theft of emails, usernames, and encrypted passwords.
Plex, a California company that runs a streaming media service and a client-server media player platform, confirmed that a third-party “was able to access a limited subset of data” from a compromised database.
The company is urging all Plex users to immediately reset account passwords and log out of all devices connected to its service.
From the Plex notification:
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.
The company said credit card and other payment data are not stored on its servers and were not vulnerable or compromised in this incident.
[ READ: Apple Patches New macOS, iOS Zero-Days ]
Plex did not provide details on the database hack or whether any software vulnerabilities were exploited.
“We’ve already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions,” the company said.
“While the account passwords were secured in accordance with best practices, we’re requiring all Plex users to reset their password.”
In addition to immediate password resets, Plex is recommending that users tick off the checkbox to “Sign out connected devices after password change.”
“This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security,” the company said.
Related: Twilio Hacked After Employees Tricked Into Giving Up Login Credentials
Related: Media Streaming Company Plex Hacked, Blackmailed
Related: Plex Media Server Abused for DDoS Attacks
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
- Investors Make $6M Bet on Manifest for SBOM Management Technology
- Entro Raises $6M to Tackle Secrets Sprawl
- IBM Snaps up DSPM Startup Polar Security
- Huntress Closes $60M Series C for MDR Expansion
Latest News
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Security Pros: Before You Do Anything, Understand Your Threat Landscape
- Major Massachusetts Health Insurer Hit by Ransomware Attack, Member Data May Be Compromised
- Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
- European Cybersecurity Firm Sekoia.io Raises $37.5 Million
- Today’s Cyber Defense Challenges: Complexity and a False Sense of Security
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations

