Hello everyone,
Yesterday evening, when I couldn’t login to my Plex account so I click on the “Forgot Password” link and notice that 1 hour ago, my Plex account email has been changed by usmisteu37@gmail.com 
I don’t know this email address and thanks to this mail I’ve been able to retrieve my account but I’m still wondering how he succeeds to access to my account…
Am I the only one with an issue like that? Do you know this email address?
Can we expect a 2AF feature to secure our Plex account?
Far from it. It’s an escalating problem of late. From what I have seen it seems to be in batches with the same rogue email address so there will probably be more reports of the same, citing that particular email address.
So far Plex seem indifferent on 2FA. It really needs to change.
I would add I’m in a really good place with Plex over the last 6 months. But today I was asked by a friend if I recommended Plex and I actually told them no…purely on this one major issue.
Specifically I told them that if they do go ahead to absolutely NOT purchase a Plex Pass.
I respect Plex decision to not reveal upcoming features. But 2FA is different. If they are working on it then they really need to tell us.
If they aren’t then simply tell us that they have no (or at least minimal) interest in their users account security.
Is it worth it to change the Plex account password to something new (and obviously long and complex), then switch to using Google authentication w/ 2FA for login purposes? This seems to be a popular method to work around Plex’s lack of 2FA but I’m not sure it’s worth it if I’ll have a Plex account either way.
Well hopefully people are already using long and complex passwords.
Your solution is an ok workaround assuming Plex remove any option to sign in with a simple username/email and password. Whilst it’s there the issue is still on the doorstep of Plex.
I have torrent trackers that take 2FA far more seriously than Plex do any they only have access to an account, not my physical data.
I actually just checked this out more now.
Specifically if allow media deletion can be done when accessing my server via Plex.tv and it can or so it seems.
Whilst all the hacked account reports so far have not involved anything truly malicious like loss of data the potential is there.
Every item can in effect be deleted from disk remotely from what I can see… assuming the hacked account belongs to a server owner.
Yep a PIN on the admin account will help. I’m curious though how many people who don’t share their server with others even bother with a PIN.
I really hope I’m missing something here and it’s not that simple.
I’ve worked around the media-deletion concern (which is legit) with having my Plex server access my media on a NAS via SMB with read-only access. That helps mitigate that situation.
I’m trying to be mindful of the likelihood that these hacks are likely just repeated-use passwords where someone gets around to testing them on another service, but either way it’s a fairly bad look for the security model when this comes up. For something that’s punching a hole into my network, security is always on my mind.
I’ve been debating if it’s time to separate the externally-accessible Plex server onto its own LAN with limited access to the internal network (via vlan or otherwise). I’m not sure how much pain that would entail, though.
We have been around long enough to have taken as many precautionary steps as possible.
But not every user is tech-minded (new or long term users.) Meanwhile Plex market themselves as a relatively easy to use service so all “our” precautionary steps like “read only”shouldn’t be needed.
For many people’s work flow it would probably not even be an option to be read only.
We need some sort of in house 2FA or forced Google (or other) 2FA.
how would you convert/switch from a standalone plex account to google auth ?
simple as changing plex email to gmail, login with google and authorize plex ?
I’m not even sure it’s necessary to change your e-mail address! I haven’t tried it yet myself, since I usually keep my accounts disconnected from Google/Facebook/etc on principle. I’ve run across others who have done it though, and it sounds like it wasn’t too complicated.
OK I clearly misunderstood this seeing as you also said
I gotta say I’m at a loss how this could be done.
I’ve read a few people connect their existing Plex account to Google auth, then resetting their Plex account password to something complex and no longer using it. So unless there’s a data breach, they’re now using their Google account for all auth, which has 2FA enabled.
I haven’t tried it though.
Right yeah I’m with you now.
However there is possibly an assumption here that anyone having their account hacked is purely on the basis of weak/poor passwords.
So as long as there is even an option to sign in to Plex.tv via that complex password I’m personally really not feeling it. Make it that signing in via a Google account that has 2FA set up is the only option (once enabled) then yeah I get it.
Anyway In the meantime I will wait with interest until the inevitable day comes when someone hacks an account and deletes a users 200GB/100TB* media library.
Anyway @Noxalus
It’s great you got your account back. If the thread became a little TL;DR
Make sure you also changed your password to something ultra strong and ideally also set a PIN for (at least) your own account.
Wow, I didn’t expect so much answers, thank you everyone!
@Xhaka I’ve already changed my password with a much more complex one. The one I used before was indeed too simple, but I didn’t think anyone would try to hack my account, that’s my mistake…
Also, I had a pin on my own account, but the hacker changed it. Hopefully I’ve been able to change it back!
Well I’m glad everything is OK.
I think I made personal feelings clear. Security with Plex just truly sucks. (For me at least it’s the only thing that does.)
I actually just had one more thought on this. The whole situation could be eased if Plex handled email changes differently.
Instead of an email saying
“You just did … and if you DIDN’T click this link”
It should be
“You said you want to… and if you DO click this link”
Always to the long-standing email address.
Changes should be proactive rather than reactive. That way If a user is genuinely changing their details they will be expecting a confirmation email. Nothing happens until confirmed.
What we have right now is pretty much “we have handed over your account to someone else so click this link if you want it back”
Any thought’s on anything in this whole topic from @anon18523487 or @BigWheel ?
You can contact security security@plex.tv if you want to ask them something
Ah thanks. I had no idea such a department existed after all these years.
more info here https://support.plex.tv/articles/reporting-security-issues/
@Noxalus @Cafe_Diem @TeknoJunky
security@plex.tv emailed. I will update when I get a response.
Just a heads up on this.
I got a reply from Plex security department earlier. Apparently they are actively looking at the best way to implement 2FA.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
