HomeNewsPlex suffers data breach; third-party gains access to emails, usernames and more

Plex suffers data breach; third-party gains access to emails, usernames and more

Plex has emailed its users to warn about a security indecent it has become aware of. While the subject line of the email refers to a “potential data breach”, the body goes on to talk about suspicious activity and a third-party gaining access to part of a database.

The company says that the exposed data included emails, usernames and encrypted passwords. Although all passwords were secured and hashed, all Plex users are required to change their security credentials out of an “abundance of caution”

In the email, Plex says: “We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure”.

It goes on to inform users:

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

The company says it is taking steps to help avoid something similar happening again and is requiring all users to reset their passwords.

Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there’s a checkbox to “Sign out connected devices after password change.” This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your passworD

What if Your Plex Account Requires a Password Reset?

It’s possible that in some cases, your Plex account might be flagged as requiring a password reset before you can continue to use it. Here’s how to handle that.

Request a Password Reset

To reset the password on the Plex account:

  1. Open a Private/Incognito browser window.
  2. Go to the password reset request page (https://app.plex.tv/auth#?resetPassword). (Or if you’re concerned about phishing, go to the main Plex website in the Private/Incognito browser window, choose to Sign In, then click the Forgot? link on the sign-in form.)
  3. Enter the email address of your Plex account and submit the form.
  4. Assuming a Plex account exists linked to that email address, we’ll send the password reset email. (This should normally arrive within a minute or two, but could be delayed in some cases either on our side or being delivered on your mail processor’s side.)
  5. Take the link from the password reset email and paste it into the Private/Incognito browser window.
  6. Choose a new, strong, unique password. (Do not use the same password as any other website or service.)
  7. You can optionally enable the Sign out connected devices after password change checkbox when resetting the password. That helps secure the Plex account by signing all your player apps and any Plex Media Server you own out. You’ll then need to sign back in to your account in each app/server.

Tip!: If you do choose to “Sign out connected devices after password change” as part of your password reset, then you’ll need to sign in again to any player/client apps you use as well as any Plex Media Server you own. You’ll find information below on how to do so.

Not receiving password reset email

If you’ve waited a couple of hours after requesting the password reset and can’t find the email, there are a few things to do/check:

  • Make sure you spelled the email address correctly when requesting the reset.
  • Check your spam, trash, promotions, or similar mailboxes in your email account. “Automated” emails like a password reset can sometimes be flagged incorrectly by your email.
  • Add the following two addresses to your allowed/approved sender list and then request another reset: noreply@plex.tv and hello@mail.plex.tv

Sign in to Your Player/Client Apps

In cases where your connected devices were signed out as part of the password reset, you’ll then need to sign in to your Plex account in the apps again. There are two main methods of signing in to your Plex account in an app:

  1. Apps where you can easily type things (e.g. mobile apps, the web app, and our website) will allow you to directly sign in to your Plex account. You can sign in using the standard methods: Email & password, Google Login, Facebook Login, Sign in with Apple
  2. Our big screen apps (such as Android TV, Apple TV, smart TVs, etc.) generally allow you to connect the app to your account by way of a 4-character link code. This allows you to connect to your account without having to laboriously enter login credentials via an on-screen keyboard or similar. The app will display the 4-character link code, which you then enter on the https://www.plex.tv/link/ page (once signed in on the website).

Related PageConnect a Player App to Your Plex Account
Related Pagehttps://www.plex.tv/link/

Sign In/Claim Your Plex Media Server

Claiming a Plex Media Server with your account can sometimes be a bit more involved than simply signing in to a player app. Broadly speaking, what you need to do:

  1. Open the local/bundled version of the Plex Web App that comes with the Plex Media Server. (See below for more details on accessing this.)
  2. Sign in to your Plex account under the menu on the top right.
    The 'Sign In' option highlighted under the account menu at the top right of the local/bundled web app.
  3. Click the Settings button in the top bar and then select General under the server entry in the sidebar. If more than one Plex Media Server is present on the network, select the server in which you’re interested by using the dropdown on the left.
  4. Under General on the left, if your Plex Media Server is not currently signed in, you can sign in using the Claim Server button. That will claim (sign in) the server using the Plex account signed in to that web app (from step 2).
    Plex Media Server showing a warning that it is unclaimed and providing information for claiming the server

As mentioned, accessing the local/bundled web app can vary, depending on where you have the Plex Media Server installed. Find more details below.

Tip!: In the instructions below, when we reference using an IP address, you actually do need to use an IP address. Don’t try accessing via a Custom Server URL, a domain provided by your NAS device, or similar. You need to access via the appropriate IP address.

From the Same Machine Running Plex Media Server

The most straightforward case is just going to the machine running the Plex Media Server and opening a web browser there. (You could also do a “Remote Desktop” or similar into that machine, so that you’re acting locally on the machine.)

From the same machine running the Plex Media Server, open a browser window and go to http://127.0.0.1:32400/web. That will load the local/bundled version of the web app.

From a Different Machine on Same Network

Perhaps you have Plex Media Server running on a NAS device or a different computer on the same local network, though. In this case, open a browser window and go to http://server.local.ip.address:32400/web (e.g “http://192.168.1.5:32400/web”). That will load the local/bundled version of the web app.

From Different Network

In rare cases, you may not be on the same local network (or the same subnet of the local network) as the Plex Media Server. This could be true of people running the server on a cloud hosted computer, for instance. If you’re on a different network than the server computer (or the entire “local network” is not in the private network IP ranges), you’ll first need to set up a SSH tunnel so that you can access things as if they were local.

Note: This is only necessary for the initial process to claim/sign in to the Plex Media Server. Once you’ve gone through the setup, you can access as normal.

The instructions can vary based on what type of operating system you’re using to connect to the machine running Plex Media Server.

macOS or Linux

  1. Open a Terminal window or your command prompt
  2. Enter the following command (substituting the IP address of your Plex Media Server as appropriate):
    ssh -L 8888:127.0.0.1:32400 ip.address.of.server
  3. Open a browser window
  4. Type http://127.0.0.1:8888/web into the address bar
  5. The browser will connect to the server as if it were local and load Plex Web App

Windows

If you’re using Windows on your local system and your server is on Linux or macOS, you’ll need to use an application such as Putty or Windows 10’s built-in SSH client that can create the SSH tunnel for you. You can use instructions like these for setting up the Putty/SSH connection. If following that, you would use this information:

  • Gateway: ip.address.of.server
  • Source Port: 8888
  • Destination: 127.0.0.1:32400

Once you have the SSH tunnel set up:

  1. Open a browser window
  2. Type http://127.0.0.1:8888/web into the address bar
  3. The browser will connect to the server as if it were local and load Plex Web App

Docker

For Docker installations, you’ll need to generate a claim token (via https://www.plex.tv/claim) for your Plex account and then set that as the value of the PLEX_CLAIM parameter of the Docker configuration. Refer to the Plex Media Server Docker documentation for more details.

Related PageREADME for Plex Media Server on Docker
Related Pagehttps://www.plex.tv/claim

Troubleshooting Plex Media Server Claiming

Once you load up the local/bundled version of the web app, most people have no issues claiming their Plex Media Server. But if you do have trouble, the most common problem will be that no server entry appears in the sidebar when you open the Settings in the web app. Some things to try:

Make sure you’re accessing from locally on the machine

If your Plex Media Server runs on a machine different from what you normally use every day (e.g. the server runs on a NAS and you use a laptop for normal usage), you need to make sure that you’re connecting locally. Review the information from the previous section again.

Try the third-party “ClaimIt” tool

The simplest thing may simply be to use the third-party “ClaimIt” tool. That’s a script that will prompt you for your Plex account username/email and password as well as the IP address of the Plex Media Server and then claim the server using that account.

That said, this is a third-party tool and you should always be careful of providing account login information to third-parties.

Related Pagehttps://github.com/ukdtom/ClaimIt
Related PageClaimIt Tool Wiki

Try the troubleshooting steps in our “Locked Out” article

You can try the steps in our regular article about being “locked out” of a Plex Media Server.

Sources:

https://support.plex.tv/articles/account-requires-password-reset/?utm_source=Plex&utm_medium=email&utm_content=reset_password&utm_campaign=sql_db_password_reset

https://www.comparitech.com/blog/vpn-privacy/medical-data-breaches/

https://www.techtimes.com/articles/279586/20220824/plex-alert-users-security-breach-tells-reset-passwords.htm

https://www.gearrice.com/update/your-plex-account-in-danger-an-attack-puts-your-data-at-risk-but-there-is-a-way-to-protect-yourself/

https://betanews.com/2022/08/24/plex-suffers-data-breach-third-party-gains-access-to-emails-usernames-and-more/

https://techcrunch.com/2022/08/24/plex-streaming-breach-passwords/

0/5 (0 Reviews)
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments