Plex has notified users of a recent security breach involving a third-party intrusion that exposed account data, including emails, usernames, and hashed passwords.
Importantly, Plex confirmed that no credit card or payment data was affected in the breach, as the platform does not store this information on its servers.
While the company claims the scope of the incident is limited, it has prompted a platform-wide password reset to prevent further compromise.
The breach was disclosed via email to Plex users which confirmed that attackers exploited a vulnerability to gain unauthorized access to a portion of the company’s user database. Although the compromised passwords were hashed using industry best practices, the company is urging all users to take precautionary action by resetting their passwords immediately and signing out of all connected devices.
Plex did not specify the exact date the incident occurred or when it was first discovered, but indicated that the issue was swiftly contained and the vulnerability used in the attack has already been remediated. The company is now conducting a broader security review to harden its infrastructure and prevent recurrence.
Plex is a widely-used media server platform that allows users to host and stream personal media libraries, such as movies, music, and photos, across devices. The service supports a wide range of operating systems and is especially popular among privacy-conscious users who prefer self-hosted solutions over cloud-based alternatives. The platform has tens of millions of registered users worldwide.
Users are instructed to initiate the reset from a private or incognito browser session by navigating to the official password reset page at https://plex.tv/reset. To strengthen account security, users are advised to enable the “Sign out connected devices” option during the reset process, which logs out all sessions, including those on Plex Media Servers and client apps. Finally, those who haven’t done so already should enable two-factor authentication (2FA), which adds an extra layer of protection in case of credential theft.
Users experiencing issues receiving the password reset email are advised to check their spam or junk folders, ensure proper spelling of their email address during the reset process, and whitelist Plex’s official email addresses (noreply@plex.tv and hello@mail.plex.tv).
While Plex has taken appropriate steps in response to the breach, users should remain vigilant, especially if they reused the same credentials on other platforms.
Leave a Reply