I received the email re. the hack and the recommendation to reset my account password. However, upon clicking the reset link, despite the response supposedly being quick, I waited several hours before a reset email appeared in my inbox. When I went to use it, it said the link had expired. Nice trick.
So, I have requested another reset link but so far nothing has arrived. Presumably it will in a few hours time but if it fails again, what do I do?
I can log in normally with my existing credentials and I use 2FA. How concerned should I be about this hack anyway?
Then there is no need to use the password reset method. It is for users who actually forgot their passwords.
Simply go to https://app.plex.tv/desktop/#!/settings/account
and change your password there. Don’t forget to tick the checkbox “Sign out connected devices after password change”. (without it, the whole exercise will be for naught)
After doing the above, you will need to re-claim your server. (i.e. adding it to your account again) Otherwise you will not be able to use it, at least when remote.
Instructions for reclaiming the server are slightly different, depending on the server platform. So you might wanna mention which it is.
Although there are no indications that the 2FA systems were compromised, it is good practice to invalidate potentially leaked password hashes anyway. Even though they were salted and peppered and won’t suffice for getting access without a 2FA code.
In the end it is completely up to you if that constitutes sufficient reason for taking action. But it is Plex’s responsibility to inform you about it and advise you about the safest measures to take.
