Plex, the media streaming platform, said a data breach exposed a limited subset of customer data from one of its databases. The stolen information included email addresses, usernames, securely hashed passwords and authentication data, the company said in a breach notification. It said an unauthorized third party accessed a limited subset of customer data, the incident was quickly contained, and the accessed information included emails, usernames and securely hashed passwords.
Plex noted that the passwords were hashed in accordance with best practices, but did not disclose the hashing algorithm, which could leave room for attackers to attempt cracking the data. The company emphasized that any account passwords that were accessed were securely hashed and advised users to treat the situation as a precaution and reset credentials accordingly.
As a precaution, Plex is urging users to reset their passwords at https://plex.tv/reset and to enable the “Sign out connected devices after password change” option when doing so, which will reset passwords and log out existing sessions on affected devices.
For users who log in with single sign-on (SSO), Plex recommended signing out of all active sessions by visiting http://plex.tv/security and selecting “Sign out of all devices.” After this step, users will need to re-enter credentials on each device.
The company also urged users to enable two-factor authentication for added protection and reminded customers that Plex will never ask for passwords or credit card details by email. Plex noted that no payment card information was involved in the breach since such data is not stored on its servers, and said it has addressed the method used to breach its systems while withholding additional technical details. This incident follows a similar breach that affected Plex users in 2022.