Plex, a streaming service, announced that it had a third-party attack on one of its database servers and was able to extract emails and passwords. The passwords were encrypted, but they are asking all service users to reset their passwords and to log out all devices attached to their service.
Plex is a streaming service and a software company. Not only do they allow you to stream from them, but they also have a streaming service that you can install on a computer and then share videos that have been converted to popular media types. They claim to have 25+ million global users, with 50K+ on-demand titles and 250+ Live TV channels. “We’re on a mission to create a global community where everyone can discover, experience, and share all of the entertainment that matters to them.”
As a plex user, I was recently notified via email about this breach. Here is a copy of that email.
| Dear Plex User, |
| We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure. |
| What happened |
| Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident. |
| What we’re doing |
| We’ve already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we’re requiring all Plex users to reset their password. |
| What you can do |
| Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there’s a checkbox to “Sign out connected devices after password change.” This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password here. |
| We’d also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so. |
| Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses. |
| For step-by-step instructions on how to reset your password, visit: https://support.plex.tv/articles/account-requires-password-reset |
| Thank you, The Plex Security Team |
Remember, as with any service you use on the internet, it is best practice to use a different password for each service, and then to store those passwords in a safely encrypted password vault.
The US Government has these suggestions on how to remain safe on the internet
Protect Yourself Against Cyberattacks
You can avoid cyber risks by taking steps in advance:
- Limit the personal information you share online. Change privacy settings and do not use location features.
- Keep software applications and operating systems up-to-date.
- Create strong passwords by using upper and lower case letters, numbers and special characters. Use a password manager and two methods of verification.
- Watch for suspicious activity that asks you to do something right away, offers something that sounds too good to be true, or needs your personal information. Think before you click. When in doubt, do NOT click.
- Protect your home and/or business using a secure Internet connection and Wi-Fi network, and change passwords regularly.
- Don’t share PINs or passwords. Use devices that use biometric scans when possible (e.g. fingerprint scanner or facial recognition).
- Check your account statements and credit reports regularly.
- Be cautious about sharing personal financial information, such as your bank account number, Social Security number or credit card number. Only share personal information on secure sites that begin with https://. Do not use sites with invalid certificates. Use a Virtual Private Network (VPN) that creates a more secure connection.
- Use antivirus and anti-malware solutions, and firewalls to block threats.
- Back up your files regularly in an encrypted file or encrypted file storage device.
- Do not click on links in texts or emails from people you don’t know. Scammers can create fake links to websites.
- Remember that the government will not call, text or contact you via social media about owing money.
- Keep in mind that scammers may try to take advantage of financial fears by calling with work-from-home-opportunities, debt consolidation offers and student loan repayment plans.
Mike Kieffer is an IT geek by hobby and trade, with a BS in Information Systems & Technology. He is a proud father of 10, a grandpa, an author, a journalist, and internet publisher. His motto is to “Elevate, Inspire and Inform”, and he is politically conservative and a Christian. Mike has a passion for technology, writing, and helping others. With a wealth of experience, he is committed to sharing his knowledge with others to help them reach their full potential. He is known for his jackassery or his form of self-expression that encourages boldness, creativity, and risk-taking. It can be a way to push the boundaries and challenge traditional norms, leading to creative solutions and positive change.