Plex Users Should Reset Their Login Information ASAP Due To Alarming Data Breach

plex users reset login info data breach news
Plex, a company that provides media streaming solutions, sent out emails early this morning informing users of a data breach. According to the notice, Plex launched an investigation yesterday after discovering suspicious activity on one of its databases. The investigation revealed that a third-party actor managed to gain unauthorized access to this database.

At present, Plex believes this breach to be limited in scope. Nonetheless, the limited subset of data accessed by the third-party contains email addresses, usernames, and encrypted passwords. Since the passwords were stored in a hashed format, users don’t have to worry about their passwords being directly exposed by this breach. However, those who reuse passwords may still be at risk of having their Plex passwords exposed, as cybercriminals can match password hashes with hashes from other data breaches that do include plain text passwords.

plex app interface news
Plex user interface

In order to best protect users’ accounts, Plex is requiring all users to reset their passwords. Step-by-step instructions for this process are available on Plex’s website. The notice also includes further steps users can take to secure their accounts. Plex recommends checking the box that reads, “Sign out connected devices after password change,” during the password reset process. In the case that a threat actor was able to gain access to a Plex user account with a compromised password, checking this box will end that unauthorized account session. Plex further recommends enabling two-factor authentication (2FA) to add an additional layer of security.

The breach notice does not provide any details regarding how the third-party actor gained access to a Plex database. Plex simply states that it has “addressed the method that this third-party employed to gain access to the system.” Plex is also performing further reviews of its systems, according to the notice. Lastly, the company assures its users that it does not store payment information on its servers, so no such information was exposed by this breach.