Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Plex Confirms Database Breach, Data Theft

Popular streaming media platform Plex is scrambling to reset user passwords after a database hack that included the theft of emails, usernames, and encrypted passwords.

Popular streaming media platform Plex is scrambling to reset user passwords after a database hack that included the theft of emails, usernames, and encrypted passwords.

Plex, a California company that runs a streaming media service and a client-server media player platform, confirmed that a third-party “was able to access a limited subset of data” from a compromised database.

The company is urging all Plex users to immediately reset account passwords and log out of all devices connected to its service.

From the Plex notification:

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. 

The company said credit card and other payment data are not stored on its servers and were not vulnerable or compromised in this incident.

[ READ: Apple Patches New macOS, iOS Zero-Days ]

Plex did not provide details on the database hack or whether any software vulnerabilities were exploited.

“We’ve already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions,” the company said.

“While the account passwords were secured in accordance with best practices, we’re requiring all Plex users to reset their password.”

In addition to immediate password resets, Plex is recommending that users tick off the checkbox to “Sign out connected devices after password change.” 

“This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security,” the company said.

Related: Twilio Hacked After Employees Tricked Into Giving Up Login Credentials

Related: Media Streaming Company Plex Hacked, Blackmailed

Related: Plex Media Server Abused for DDoS Attacks

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.