I’ve tried it several times but it doesn’t change anything. Besides, I can’t even restart my server now.
What did you try several times and how didn’t it work (e.g. any error messages)? Why can’t you reboot your server?
Unclaim and claim again my server : It does not change anything
And now my server is down. I restarted the server several times, stopped and restarted the service. He doesn’t want to start again.
For some additional information, passwords were hashed with bcrypt, salted and peppered.
While we’re still investigating, we’re requiring all users to reset their passwords. Everyone will get an email, but not all at once, we’re trying to stagger this to manage the load.
If we had invalidated everyone’s password at once, we’d have had tens of millions of people hitting our servers at once trying to set a new password, and honestly, we can’t handle everyone doing that at once.
We’d strongly suggest everyone also revoke their tokens by signing out all devices. While we’re still investigating the issue, there is a risk that authentication tokens may have been compromised. We’re being abundantly cautious here, because we want to do everything we can to preserve security for our users.
Password reset emails are taking a little longer than normal, due to the amount of traffic we’re getting. You can also go directly to https://app.plex.tv/desktop/#!/settings/account to reset your password.
Should you have any difficulty with claiming your server afterwards, please ensure you’ve followed all the steps here. If you’re still having difficulties, please post specifics about your setup (OS, server version, how you access it, etc.) so that we can help
9 Likes
Does this affect SSO users… i use Google
If you’re only using SSO, and do not have a password in Plex, then you’re unaffected
I think it’s because I tried to set secure connection to mandatory in the network settings… Do you know how to go back and if it’s possible?
Followed the steps, cannot access PMS running on Shield through either Plex Web on a Win10 machine or the Roku plex app. PMS v1.27.2.5929
PMS is running fine on Shield and is fully functional with my libraries. Neither the server or libraries show any longer in Plex Web or the Roku app.
You said that authentication tokens MAY have been compromised. Wouldn’t that also affect accounts using SSO?
Hmmm, it should work. From another computer, go to the bundled web on the Shield, http://shield IP:32400/web, sign into your Plex account, go to the general tab of settings and click on “claim server”.
No, these would be Plex-only tokens, like the ones mentioned here: Finding an authentication token / X-Plex-Token | Plex Support
It is as if nothing was happening. There is absolutely no information on Plex’s homepage or support page or blog page or forums page or any other page. The only information I got about the breach is from a very suspicious SPAM like email from “Plex”. All the rest of information I had to find in media articles and from this forum page.
From what I can tell Plex is still hacked and all the passwords being reset are still captured by the attacker.
Maybe if there was any information from P,lex, I would know better…
I shut down my PMS server and will se what is going to happen.
Horrible attitude
4 Likes
That worked! Thank you very much.
1 Like
Just when I was going to uninstall everything, I tried to delete all authorized machines… And I don’t know why my server is on and I have access from Web plex. I don’t touch anything anymore! Good night !
We’re still investigating but didn’t want to delay letting people know. We also thought people would more likely see an email than look at our website or blog. It’s a pretty small minority of users who visit the forums or blog, so email is the best way to reach everyone quickly. I posted some information before, but if you have specific questions, I can try and help answer them
5 Likes
Are also media libraries stored online and may be stolen or are they locally stored?
I would just like to say that the notification going out via email makes sense and I get your point about it being more likely to be noticed that way than via the website and a blog post.
However…recently an added feature (I think it was watch together) brought up a banner constantly on every browser of every device when accessing the forums. Yet a serious security breach…Nada.
That seems pretty whacked to be honest.
3 Likes
I’ll pass that feedback along. At the moment though, we don’t have anything further to share that hasn’t already been communicated via email
2 Likes
You did the right thing of course, but a quick banner or pinned note on the forum is helpful, because modern e-mail is notoriously untrustworthy when someone sends you a “reset your password now, click this link!” mail. The default assumption is “spam or phishing”.
It’s like when you get a call from an unknown number asking for your bank information. You don’t give that info to that person, but you can definitely tell them you’ll call the main bank number to confirm if this call is legit. Checking these forums or the Plex front/support page is the equivalent of calling the bank to make sure.
Beyond that, thanks for trying to be diligent in making sure people were quickly informed.
3 Likes
Media libraries are stored locally. We have no idea what’s on your server, nor do we want to know.
1 Like
