Plex has confirmed a new security incident in which an unauthorized party gained access to one of its databases, exposing a subset of customer data. The company said the breach was quickly contained but advised all users to reset their passwords.
What information was exposed in the Plex data breach?
According to Plex’s notification, the attacker accessed:
- Email addresses
- Usernames
- Securely hashed passwords
Plex stressed that passwords were hashed following industry best practices, making them unreadable to the attacker. However, the company did not disclose which hashing algorithm was used, leaving open the possibility of brute-force cracking attempts.
Steps users should take
Plex is requiring all customers to reset their passwords through plex.tv/reset. During the reset, users should select “Sign out connected devices after password change” to terminate existing sessions and prevent unauthorized access.
Additional recommendations include:
- Single Sign-On users: Log out of all sessions via plex.tv/security and reauthenticate with SSO credentials.
- Enable two-factor authentication (2FA): Adds protection even if a password is compromised.
- Remain vigilant: Plex emphasized it will never request passwords or payment details via email.
The company clarified that payment card information was not at risk, as Plex does not store this data.
Company response and context
Plex stated it has fixed the vulnerability exploited in the attack but has not shared technical details of the breach or its remediation steps.
This is the second major security issue reported by Plex in recent years. A 2022 breach similarly exposed usernames, emails, and hashed passwords, prompting another wave of mandatory password resets.