Important Notice of Security Incident
forums.plex.tv
We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure. What happened An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication ...

We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.

What happened

An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.

Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.

What we’re doing

We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.

What you must do

If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.

If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

Additional Security Measures You Can Take

We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.

Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.

For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset

    • TheGrandNagus@lemmy.worldEnglish
      12·
      3 个月前

      I enjoy using Jellyfin and hope it continues to improve, but it has some problematic security of its own.

      • Logical@lemmy.worldEnglish
        41·
        3 个月前

        But if you just run it locally an a media server in your home, and you don’t expose the service to the internet, that doesn’t really matter? Though perhaps more people connect to their Jellyfin instances remotely than I realize.

        • cosmo@lemmy.worldEnglish
          11·
          3 个月前

          Well. If you’re not streaming why have such a service in the first place? If I didn’t stream remotely with Plex (and share with my friends and family) I’d just go back to running Kodi on my htpc like I did ten years ago.

        • thax@lemmy.dbzer0.comEnglish
          51·
          3 个月前

          It matters if someone manages to hide an exploit in jellyfin’s codebase, or more likely, a popular plugin. I imagine many folk have permissive outgoing firewall rules, in which case, an exploit could establish connectivity. Whether that eventually leads to privilege escalation on the jellyfin host would depend upon other variables.

          edit: I should add that I’ve not used jellyfin and am unfamiliar with how plugins are implemented. I don’t want to speak out of turn, only to suggest, in the abstract, that just because software isn’t exposed to the net, doesn’t mean it cannot harbor exploits that could become problematic. And, plugins are a common vector.

    • BackgrndNoize@lemmy.worldEnglish
      132·
      3 个月前

      Stuff like this can happen to any app, developers are only human, shit happens. A bigger company is a bigger target for hackers, so there is some saftey in an open source app that’s not as popular, but then again a bigger company also has more resources to monitor for security breaches and quickly address them and push out a hot fix, can’t say I know how this works for free open source apps

      • Lexi Sneptaur@pawb.socialEnglish
        16·
        3 个月前

        I think the point here is that Jellyfin doesn’t have a centralized login or website like Plex does. An attacker would have to know about your server and log into it directly to get access. If you run it in a container, there isn’t a lot they can do other than trashing your media library, which you should have protected with filesystem snapshots anyway.

        • purplemonkeymad@programming.devEnglish
          5·
          3 个月前

          Jellyfin doesn’t even have write access to my files. If they can get access into the container’s process then I guess they could add stuff to the web interface which could contain bad stuff.

          • Lexi Sneptaur@pawb.socialEnglish
            1·
            3 个月前

            That’s also a viable solution, but for me I just use Btrfs snapshots on my NAS. My files are stored on a different device and the Jellyfin container only sees them as a mounted dir, not even aware that it’s an SMB mount.

      • rezifon@lemmy.worldEnglish
        11·
        3 个月前

        Every year Jellyfin improves and Plex further enshittifies. You’re fighting against the tide here.

        • thelittleblackbird@lemmy.worldEnglish
          31·
          3 个月前

          ???

          This is not about enshitification. The best user friendly app can be a security nightmare and an utterly crap can be rock solid.

          It is not about that, not even development models or just rock star programmers.

          It is about who has a performing security team and who doesn’t.

            • thelittleblackbird@lemmy.worldEnglish
              11·
              3 个月前

              If they don’t have a team, they don’t regularly look, if they dont look, they don’t report, if they don’t report your analysis maybe biased because you can only check about what you know…

              I hope you can see my point

      • daniskarma@lemmy.dbzer0.comEnglish
        92·
        3 个月前

        Jellyfin dev team is not in charge of your self hosted security though. You know what you are getting, source code available, and it’s up to you setting the security.

        • thelittleblackbird@lemmy.worldEnglish
          56·
          3 个月前

          But they are responsible for the unsecured / gruyere cheese product they ship.

          Jellyfinn has a lot of holes and it is easy to deploy it in a insecure way by not techie people. Last time I checked they even didn’t have a recommended practices for hardening it

          • daniskarma@lemmy.dbzer0.comEnglish
            55·
            3 个月前

            Not techie people are not going to be able to open it for internet access. If you have the knowledge to set a internet available service you should have the knowledge to be able to provide basic security.

            Most security issues with jellyfin are an issue only for a specific type of user. The one who is selling access to their server. The worst Jellyfin security issue makes selling access to your server a higher risk situation.

            I hope someday those issues would get patched, but I get why there are other priorities for the dev team right now, about issues that bother to a bigger majority of jellyfin users.

            • thelittleblackbird@lemmy.worldEnglish
              32·
              3 个月前

              Well, when I was talking about not techie people I didn’t mean technology analphabets, everybody can open a port in your consumer router with the help of chatgpt, not everybodies is able to realizes they need a reverse proxy with tls and modify the headers for the Auth…

              Being secure in internet is like the herd inmunity for corona times, your system could be fairly secure, but if you are hammered with several bot nets it is going to be a challenge, and there is responsabiity is shipping a product that is easy to be infected.

              And your third paragraph really confirms why this post is necessary

              • daniskarma@lemmy.dbzer0.comEnglish
                21·
                3 个月前

                Have to point a dns to the ip, buy a domain, stablish ddns. I don’t see it happening often. If you know all that you are ought to know about getting hitm

                Bot hits are not a problem for jellyfin. The main problem right now is unauthorized access to endpoints for people who know the hash that is being used in that endpoint.

                It’s a targeted attack that hampers availability of the services (making it more available than it should be). It doesn’t make internet more insecure or anything.

                As I said previously I haven’t actually known of any of these attacks happening on the wild. As they are kinda hard of pull of. You need to know the precisely hash used for the endpoint, the most normal way of knowing that without being an authorized user is because you used to be an authorized user and you are not anymore. That’s weird in jellyfin current ecosystem. People say that the hash could be calculated by a complete outsider, but I have never seen anyone pulling it off on the wild. You need to know a lot of things about the service you are attacking to be able to do it.

                So, yes is a security vulnerability, all software have those. But I think it gets blown out of proportion often.

    • Mongostein@lemmy.caEnglish
      1315·
      3 个月前

      No doubt. Why do you need an account on their servers to use a server on your own hardware? So dumb.

      • Archer@lemmy.worldEnglish
        332·
        3 个月前

        The second I saw that I immediately looked for alternatives and abandoned plans to have my own Plex server. I knew it would enshittify fast when they can lock you out of your own server

      • 7U5K3N@lemmy.dbzer0.comEnglish
        41·
        3 个月前

        For me… my server software is running. But the account doesn’t see it. And as such I can’t claim my server to get it back up and running.

        Fun times. Glad I changed my password. :/

        • Saik0@lemmy.saik0.comEnglish
          9·
          3 个月前

          If you just changed your password and now you don’t have access… Directly connect to the server http://<serverip>:32400/web and you’ll get the setup prompt to connect it back to your account.

          If that doesn’t work you can restart the server and try again (should catch up that it’s unauth’d). Or run a tool like https://github.com/ChuckPa/UserCredentialReset to reset it so you can reauth it.

          • 7U5K3N@lemmy.dbzer0.comEnglish
            3·
            3 个月前

            Thanks for that second link… I’ll give it a try.

            I’ve done nearly everything I can think of to get it sorted.

            Out side of jellyfin. That said. I’m going to spin up a container of jellyfin tonight. This has absolutely taught me that Plex is a huge point of failure for my media consumption.

  • ArmchairAce1944@discuss.onlineEnglish
    10·
    3 个月前

    This is why I barely trust any streaming platform… I mean I try to not use my ‘real’ email for anything (and I stupidly linked my other emails to it on my phone, so Google basically knows it even if they dont have direct access to the inboxes).

    There is so much shit being hacked that the idea that rhat any information we put out there isn’t already available on the darkweb is stupid. Even some AI camera surveillance company has said that they built their database in part based on information they bought from the darkweb (I need to get the source again).

    And I rarely hear about those same hackers getting caught. Its almost like they have it down to a T and it is simply too profitable and the chances of getting caught are too minimal to care. And this shit is continuing despite all the legislation being passed to monitor more and more internet activity, which makes me think if any of it will even work?

    It is still rare that someone truly criminal is caught because of some internet searches. Most data is collected from confiscated computers and if they simply deleted their browsing history and used a basic file shredder to wipe their free space they would not be able to recover anything.

    • Toxuin@lemmy.caEnglish
      217·
      3 个月前

      How to be innocent (not really): Step 1. Insist that users absolutely MUST use your cloud server for every login into a self-hosted tool on their own hardware. Step 2. Have shit security. Step 3. Ow wow, now users’ data is all over your systems! Hackers clap their hands and do a happy dance. Step 4. Send out “we’re sowwy” email.

  • Ohh@lemmy.mlEnglish
    3·
    3 个月前

    Do any of you receive a password reset mail? I don’t. So I fear somebody might have already changed /taken over my account? Even though i do use two factor auth?

    • I did receive the initial notice
    • I did not receive the reset mail i asked for. Not in spam either. I have checked that the emailadress is identical to the one i received the original notice for.
  • ngwoo@lemmy.worldEnglish
    235·
    3 个月前

    Glad I never gave Plex any payment details, don’t reuse passwords, and don’t plan on using it any more so I can just ignore this

    • hackitfast@lemmy.worldEnglish
      91·
      3 个月前

      I bought a lifetime subscription years ago, and even if the payment method got decrypted, it’s well expired. Not to mention I haven’t had a Plex server running for ages.

      • ipkpjersi@lemmy.mlEnglish
        2·
        3 个月前

        Yep same here, I already got a brand new credit card with a brand new number because my renewal got stuck in a postal strike lmao

  • ayyy@sh.itjust.worksEnglish
    1442·
    3 个月前

    I harbor a strong dislike for the profiteers at Plex but their security incident response is textbook correct. Good job security dudes! The rest of your stupid company should listen to you more often.

    • reptar@lemmy.worldEnglish
      20·
      3 个月前

      As I slide the needle from “strongly dislike” to “not a fan”.

      Good on em

    • KubeRoot@discuss.tchncs.deEnglish
      111·
      3 个月前

      I do think they missed a bit about password reuse, since they tell you to reset the password on their site, you should be changing the password on any other sites where you reused it. But yeah, not arguing about it being good otherwise.

    • skisnow@lemmy.caEnglish
      312·
      3 个月前

      It shows how low the bar is, that just bare bones complying with GDPR notification requirements so as not to risk a €20M fine, is enough to make people talk about how good a job you did.

    • fmstrat@lemmy.nowsci.comEnglish
      12·
      3 个月前

      Overall I agree, but not requiring users to change password when the hashes were taken is a bit too soft IMO.

      It will also be interesting to see if they make a public disclosure about the specifics of who and how. They also don’t specifically define if media watched data was included or excluded.

      Either way, happy I migrated to Jellyfin.

  • Toxuin@lemmy.caEnglish
    6311·
    3 个月前

    Keep in mind that the only reason they deny you the ability to log in to your own local service with your own local sign-in method is that they may upsell you on their cloud junk. If there’d be no cloud account involved - your data would not be at risk and/or leaked. They endangered your privacy for marketing purposes.

    If you have not moved off of Plex - do it now. This company is fully rotten.

    The email they sent out has reply-to address that conveniently does not work…

    • Orygin@sh.itjust.worksEnglish
      76·
      3 个月前

      But brooo, don’t you know you need to have a cloud login. You neeeeeed it broo, so they can have all your info leaked bro. How else can I give access to somebody if I don’t pay 200+ bucks for the privilege of accessing my own library bro.
      Data leaks happen bro, no need to worry it’s the third time in a decade. This is a text book pro response anyway, they deserve more money bro.
      How dare you suggest people use another software bro, they deserve your money each month, not these leeches giving you free software. Plus Plex is so much more secure anyways, just look at them getting hacked bro. Your jellyfin is so insecure you need a PhD in cyber bro-security to even think about doing it. Look at all the jellyfin instances getting hacked every day. Someone could even guess a UUID and access 10s of playback of my pirates movie bro, see how it’s so full of holes bro

  • bitchkat@lemmy.worldEnglish
    7·
    3 个月前

    Word of warning. Resetting your password is causing lots of people to lose access to their server. I’ll be deleting config and reclaiming the server after work.

    • Patches@ttrpg.networkEnglish
      2·
      3 个月前

      If you have Synology.

      Uninstall(without delete) and reinstall Synology.

      It will allow you to log back in.

      • bitchkat@lemmy.worldEnglish
        3·
        3 个月前

        I’m on Linux and the simplest solution I found was to use the browser to generate a claim code on plex.tv and then install that code in the server via curl.

  • Matty_r@programming.devEnglish
    16·
    3 个月前

    This isn’t the first time they’ve been breached, there was an incident in 2015 and 2022 as well. From what I can gather its the same info being gathered each time.

    There might be others but I can’t find th at the moment.

    • dogs0n@sh.itjust.worksEnglish
      32·
      3 个月前

      Really that often? I guess their good and quick response has been engineered through lots of experience…

      At some point, can you keep yourself using a service that constantly gets breached? I’d just be worried when the next one is coming, based on this record (that i havent verified for myself, gonna trust u bro).

  • Midnight Wolf@lemmy.worldEnglish
    7·
    3 个月前

    I received this email, but two of my users who have their own accounts (not just profiles on my account) did not receive this. Thinking only server owners were affected?

    • rc__buggy@sh.itjust.worksEnglish
      97·
      3 个月前

      Nah, only server operators were notified. Assume all accounts were affected.

      4h edit: well then. Seems like this statement may not be true and my account may actually be out in the wild with you filthy sluts. Going to check tomorrow morning and might shut the whole thing down.

      • alekwithak@lemmy.worldEnglish
        181·
        3 个月前

        Negative. Had a Plex server and lifetime pass forever and I didn’t receive squat.

        • rc__buggy@sh.itjust.worksEnglish
          51·
          3 个月前

          That’s interesting. I’ve never let it outside my LAN so I don’t really feel affected, I also didn’t get an email.

          ope: I lied. got the email 2 hours ago.

  • johnwicksdog@aussie.zoneEnglish
    682·
    3 个月前

    I think that’s a pretty good response. More details will probably emerge in the next few days that could change my mind, but for now that gives me a bit of confidence in their platform.

    In comparison, a few years ago I was a patient at an IVF clinic in Sydney. I saw some absolutely bonkers security and repeatedly raised it with them. They wouldn’t hear it, and almost expectedly they were hacked and now my sperm count is public information. Their response was delayed and appalling. If my medical records were treated a severely as a streaming platform, I would have been happy.