Streaming media platform Plex has confirmed a data breach and is warning users to change their passwords.
Plex said it discovered the compromise on Tuesday and found the intruder had accessed “a limited subset of data that includes emails, usernames, and encrypted passwords.” Plex said passwords are hashed — essentially scrambled in a way that makes them unreadable to humans — but did not say what kind of hashing algorithm was used, since some older or weaker algorithms can be defeated to reveal user passwords. Plex said credit card and payment data is not stored on its servers.
Plex is one of the largest media streaming apps, allowing users to stream movies and live television, as well as their own audio, video and photos hosted on their own home media servers. As of last year, Plex had more than 25 million registered users.
It’s not clear how many users are affected by the data breach, but Plex is asking all users to reset their own passwords. After Plex emailed users about the breach overnight, some said that their password resets weren’t working or were throwing errors when trying to sign out of other connected devices.
Plex said in its email to customers that it has “already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions,” without saying what the cause of the intrusion was.
Details about the incident remain otherwise slim, and Plex has not yet announced the breach on its website or on its social media. Plex spokespeople did not immediately respond to our questions.
The Plex breach is a reminder to use a password manager and set up two-factor authentication wherever possible to make it significantly harder for attackers to take over your online accounts.