This morning i open my account on my laptop and notice activity. I check to see who just because it was really early and it’s me! but it’s not. so since 12-22 about 80 movies / shows were played under my obviously compromised account. I have had 2fa enabled and it’s tied to my MS authenticator. Anytime I would login to a new browser or device I would have to use the authenticator (as expected and provide pin) and I would get an email about a new login with the accosiated IP adress and region. I got no such notices for the compromise. I checked junk, deleted and spam and nothing there. So I changed my password (this time i used a generated pass phrase) and I kicked all logged in devices. I confirmed no new users were added and I also cleared all the old authorized devices. I noticed a new FireFox device that I I know should not be there since I have never used Firefox to view content on my server. Probably the player used to view my content. Unloaded the server and started all fresh. So logged in to the server I got the 2fa prompt to enter the authenticator generated pin as I should. Same goes for the web browser on my laptop. And I got the emails for both new devices loging in. Server version is current. I also noticed under the play history for me the compromised viewing had the player listed as generic and no platform whereas all of the legitimate play history for the player will list an actual device or browser and the platform. I do use my gmail address for the username but I use a unique password. The account is not linked to my gmail account /password that I use for my email access. My question is how was the 2fa / authenticator prompt circumvented? and I got no email notifications about new logins.
Plex’s 2FA only protects the login method per email and password.
But you have also a Google account linked to your plex account.
If an attacker can log in to this, he can also access your plex account.
Just to restate i am using my gmail but not my gmail password. I did not “link” my google account. so my username is my gmail account but it is a totaly seperate password. I have had 2fa on for some time. And it is tied to my MS authenticator. As I stated anytime I make / add / use a different machine to access my Plex I get prompted as I should for the 2fa code. I also get an email that a new device has accessed my Plex. I got no such notifications for this access. And yet after I kicked all of the devices and reset my password which required I give the 2fa code (as it should) and then added all of my devices back in and getting properly challened on each one and I got the email that a new device logged in (me) I got all of the proper promts and roadblocks. But the person that compromised my password was able to freely access my media from who knows where and I got no email that a new device logged in and apparently they were able to access my media with no 2fa authentication. this is what has me concerend.
Well, someone did, because that is what it says in your account details.
This happened pretty much exactly 3 years ago.
So when I choose “use email” and not “sign in with google” and happen to use my gmail account for the username but a different password I had believed thats not considered a “linked” account. Am I wrong about this? My gmail account uses a completely different passord than what I have set for Plex. I’m still wondering about all of the lack of 2fa challenges and notices from the hijacked login that did not happen.
That’s when you sign in to Plex. However, you can also choose to use the “Sign in with Google” method. And so can the attacker.
If the attacker has gained access to this google account, he can use the same credentials to sign into your Plex account. Because you have linked the two.
https://support.plex.tv/articles/use-federated-authentication-to-sign-in/
Ok lets say thats the case. Any guesses on the circumventon of having to use my Microsoft Authenticator for 2fa challenge. regarless of which account is used to sign in the first sign in from a new device in my experiance requires 2fa. So even if they had access to say turn it off you would still need to authenticate to do that. And I have the authenticator on my phone.
If you stored the initial seed numbers or the QR code for the 2FA somewhere accessible (like for instance in your GDrive or in your Gmail box), the attacker could have simply used it to set up his own authenticator app.
that would be true but the codes are not accessable by any of my google services. So since I login to plex with a different password and I always use the unique password for Plex if I unlink the google account that I see in my settings what are the ramifications? I would presume none since I don’t use that feature for it’s intended purpose of easy login.
Precisely.
Thanks for the replies. I appreciate the back and forth. I like that Plex offers to use a passphrase ( I chose this option) as an option. So much better than a password. I wish more sites offered this. Almost none do even though the experts in the field will all tell you passwords ultimatly are all breakable but pass phrases are pretty much not.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
