This is not clear in the notification email which went out.
I want to know if my 2-Factor secrets are out in the wild, and what I should do about it?
Is changing the password enough? I feel like I should be disabling 2-Factor and re-enabling it to get a new key.
Please take a look at the banner at the top. It tells what was potentially stolen. The 2-factor info was not affected by the breach.
Nor was federated authentication (that’s what is “Login with…”) data affected.
Well, in the information linked it also says nothing about “access tokens” and yet Plex Staff said those may also have been compromised which is the reason for recommending a sign out off all devices.
Correct. This was not communicated at the time I made this response.
To be absolutely on the safe side and to prevent the misuse of leaked device access tokens, users are advised to reset these manually.
(I am recommending the manual procedure, because if you go through the “Password reset” procedure, you will end up with a regular password on your Plex account, which you didn’t have before [if you created your Plex account using one of the federated auth providers].)
https://app.plex.tv/desktop/#!/settings/devices/all does list all valid device access tokens of your account. If you delete these, those devices will lose access.
You will have to re-connect these Plex clients with your Plex account.
If you delete the token of your server as well, you will also have to re-connect your server.
(note: if you try this with Plex clients in your local network, you could get the impression that revoking the token didn’t work. However, this could be caused by the server configuration “List of IP addresses and networks that are allowed without auth”. All clients with these IP addresses will continue to have access, because the configuration explicitly instructs the server to give them access anyway.)
It’s going to be such a pain to reset the tokens, I’d say most users won’t do it without scarier language.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
