Plex Data Breach - We Need Details & Your Future Plans for Prevention

Sorry but your non-explanation is not good enough! What’s with this crap of: “An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.”

Where is your database stored? It makes zero sense of a limited breach but at the same time you quickly contained it! Was this breach at the location of your physical computers and maybe a recently fired employee whose access card hadn’t been deactivated yet, gained access to your database? Did you notice this RED Flag and immediately cut off this person’s access? Or was the data breach remote and it was picked up, which caused you to cut the hacker’s Internet connection?

If this data breach was remote, you owe your customers an explanation as to what type of corporate Internet third party security system you’re using IF any at all. Right now, there’s zero proof Plex has any sort of paid corporate Internet security! Because this type of data breach of basic logon information should be stored in a computer network that has a firewall protection, preventing unauthorized access. So pray tell, how in the world if you’re paying for a high quality Internet security system from a third party that such a data breach is even possible - HUH?

If you so-called quickly contained this data breach then it sounds more like an internal sabotage scenario by an insider with a grudge - am I correct? But one way or another you owe your customers a clear and concise explanation of what actually happened opposed to the garbage PR statement you’ve put out! You need to be honest about whether it was an internal matter versus an outside remote connection. Because if this data breach was from an outside remote connection, that means your Internet security system is crap or it means you never invested in any corporate third party Internet security system. However, if this was an internal matter then that changes the picture altogether. You need to tell your customers, which type of breach it was and most importantly, how you’re going to prevent such a reoccurrence from happening EVER AGAIN!

Well stop using Plex.

Apart from the issues of account hacking and data leaks, Plex sends requests to their servers with all the information about your library (movie title, when do pause/play, etc…).

Run, you fools!

Plex does not know the contents of your server.

Play progress is stored in the database on your server. It is not sent to servers at plex.tv.

If you enable Sync Watch State & Ratings, Plex will have info when a movie/episode is marked as watched/unwatched, but it does not know where that media exists. You can delete the information if desired. See the support article.

They don’t owe you anything more than what they already provided. Plenty of Fortune 500 companies have suffered breaches, and never provide the kind of information you are demanding.

They actually do. At least in Europe.

I sent them this below but I doubt anyone will reply. They keep saying it happened in early September but I am fairly certain it was end of August. I started to receive spam and scam on the email address dedicated only for Plex login for the first time ever on the 31st of August 2025.

Hello,
My email address has clearly been leaked during this attack.
I have an email address dedicated only for Plex access and known only to Plex and nobody else. On 31st of August 2025 I started to receive a buttload of spam/scam/virus emails on this email address (blabla@bla.bla) so I guess your data was attacked earlier than September 9th when you sent the below email.

Please let me know which data of mine has been actually stolen. Was it just my email or was it also data such as IP addresses, login times, movie lists, folder locations, full name, etc.?

Thanks