Popular media platform Plex has asked users to change their passwords "out of an abundance of caution" after it found a third-party had gained access to one of its internal systems.
In a message to all users, Plex said that after discovering "suspicious activity" on one of its databases on Tuesday, the company ascertained that a hacker had been able to access "a limited subset of data" including emails, usernames, and passwords. From the email:
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex account to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable to this incident.
Plex is asking users to tick the checkbox "Sign out connected devices after password change," when resetting their account password. This will sign out all devices, including Plex Media Servers, and require users to sign back in with their new password. Plex also recommends enabling two-factor authentication on their Plex account if they haven't already.
Aw crap, I’m pwned in a @plex data breach. Again. I can’t do anything to *not* be in a breach like this (short of not using the service), but a @1Password generated random password and 2FA enabled makes this a mere inconvenience rather than a genuine risk. pic.twitter.com/XetB3IGUh3 — Troy Hunt (@troyhunt) August 24, 2022
Plex says it has already addressed the method that the hacker used to gain access to the database, and it is conducting additional reviews to ensure the security of its systems and prevent a similar incident occurring.
