Plex, the very popular home media server and streaming platform, has shared a detailed advisory on a recent security incident. The firm has confirmed that an unauthorized third party accessed a "limited subset" of customer data, but that it was able to mitigate the scope of the hack and its impact.
Plex has also assured that account passwords that may have been accessed by this breach were securely hashed, so were not read in plaintext by the threat actor.
Regardless, the firm has shared details for its customers on how to handle the situation which includes resetting the sign-in password. In addition, it has also recommended that users enable two-factor authentication (2FA), if it isn"t already, to further enhance their account"s cybersecurity posture. It writes:
If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.
We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.
Finally, the company has shared a support article at this link which walks users through the steps one by one on how to reset their account password.
The company has already been sending out emails to users, but even if you have not received one, it is best advised that you reset your password just to be on the safe side.
Some users are also finding that their libraries after the password reset shows up as empty, in which case, you will need to reclaim the server or try the login process a few more times (via Reddit).