Yesterday I received an email from Plex about a potential data breach in their systems. They found evidence that a third party was able to gain access to their user database:
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
First kudos to Plex for notifying us the day after vs. the statutory maximum like my bank Ally waited to do a few months ago. While this is a serious breach Plex does not believe the hackers were able to gain access to plain text passwords.
The database accessed is the one that you use to log into Plex services (like Plex pass, etc) – not the local database stored on user’s servers. But if you are using a Plex login to manage your Plex servers and clients you should change your password AND logout all devices from your account as a precaution as I detailed in this video short. You may want to enable two factor authentication (2FA) while you’re at it.
It does not appear that those who use Google to authenticate their accounts need to do anything. But I’d enable 2FA just to be safe.
Afterward you’ll need to “re-claim” any servers attached to your account. It’s a pain but a necessary precaution.