Rogue device connecting to my Plex even after MULTIPLE password changes and kicks

I have an old Roku TV device that keeps connecting to my Plex that I cannot seem to block. The TV is no longer in our possession. I can block the IP at the router, but this device is still getting in to my ACCOUNT. Blocking the IP just means they don’t have access to the media. I have MFA on the account and there is no chance they getting the MFA code. I have changed the master password and kicked all devices off TWICE and the device is still able to connect. When the device reconnects, I have removed it from Authorized Devices. And yet, it is STILL able to connect to my account and stream media using one of the Managed Accounts.

I have a thread on the Plex Discord dating back 2 months now with all of the things that have been tried and set to attempt to block this device. They are able to connect without being in the Authorized Devices list even after 2 password resets and multiple other changes. How is this happening? What kind of security does Plex have that doesn’t force a change when all the tokens are changed on a password reset? Any way to force this device off of my account permanently?

Discord topic for far more background information and screenshots and such.

Can you post the IP of the rogue device? My first gut thought given that you have followed all standard protocols for account security, changing passwords and invalidating current sessions, is that this could be an unrealized VPN. I know that at times firefox, chrome, and apple have all put in their own relay service and routed all traffic thru one of their IPs.

Roku devices cannot be managed in detail. Roku’s way of attaching other services (i.e. Plex in this case) prevents it.
You will have to remove that rogue device from your Roku account.
Plex is only granting access to a particular Roku account as a whole.

It’s an ISP around Dallas. I did look that up pretty early on. Not opposed to sharing the IP. Currently it is using: 47.161.157.77

So, if even one of my Roku devices connects to Plex, all connect? I ask because whenever I have reset the password and kicked off devices, I have had to reconnect EACH Roku device (we have at least 7 of them). So, my experience does not match what you are saying.

I did go look in my Roku account and removed the device. It was still there. However, I have doubts that this will solve the issue. Time will tell though. I removed the Class A firewall block on my router to see for certain. If they aren’t blocked, I will know in a few hours/days.

Well, that didn’t work. The device was in my Roku account still. I went and removed it from Roku. They connected back to Plex again yesterday.

The device is NOT in either Roku Streaming devices or in Plex Authorized Devices. And yet, this rogue device is STILL connecting to my Plex account.

Enable debug logging in your server settings.
(But NOT “verbose” logging!)

If you notice them connecting again, wait about 5 minutes, then fetch the server logs.

I concur, I have 3 Roku devices sharing the same account and I have to log in to watch one individually after changing my password.

It doesn’t happen immediately, but my devices will ask to sign in after a few days or immediately if I sign it and sign back in.

Maybe I’m not understanding what @OttoKerner is describing? (Thankfully, I’m not currently having any issues)

Ok, I have the logs. It was 10 hours after they connected again, but I assume that isn’t an issue. What do you want me to search for in the logs and which log?

I did some searching by IP in all the logs (grep). I found one instance of that IP in the Plex Transcoder Statistics.log. Here is that sole entry:

<SessionReport version="2" startTime="0" startTimestamp="Sep 19, 2025 20:36:44.611" key="/library/metadata/124296" session="f8494ab897e8616df110b7a845f0a1a2" transcode="88c19b80-6b66-4c58-8d36-d1c5db2ec751-1">
<User id="31564678" thumb="https://plex.tv/users/800b7c9c0af2f055/avatar?c=1758332177" title="Stephanie" />
<Player address="47.161.157.77" device="Roku Express" machineIdentifier="f8494ab897e8616df110b7a845f0a1a2" model="3930X" platform="Roku" platformVersion="14.x" playbackId="88c19b80-6b66-4c58-8d36-d1c5db2ec751-4" playbackSessionId="88c19b80-6b66-4c58-8d36-d1c5db2ec751-1" product="Plex for Roku" remotePublicAddress="47.161.157.77" title="Roku Express 1" vendor="Roku" version="8.6.5.10604-ea6e6ca15-Plex" local="0" relayed="0" secure="1" userID="31564678" />

Searching by the title/model Roku Express 1 yielded no additional results. Nor did searching by the machine identifier of f8494ab897e8616df110b7a845f0a1a2 or device Roku Express.

So, I am at a loss as to how they are still connected. I once again looked at both my Plex device entries and my Roku entries and that device (and nothing even close) is not in either authorized device list. So, there is literally no reason this device should still be able to connect.

What further instructions or requests for logging do you have?

You could try setting up Plex Home and then setting a PIN on your account.

Can’t get access if they don’t know your PIN, it’s mind-blowing that a password reset and logging all devices off wasn’t enough - this is clearly a security issue…

Depending on your firewall setup, maybe you can set up a WAF (web application firewall) or similar? Shouldn’t be necessary, but here we are.

I have a PIN on the Home Admin, but not all the Managed Accounts. But, I shouldn’t NEED to do that if the device isn’t authorized anymore.

I blocked the whole Class A on my router. I revert the block in order to test things and they persistently keep connecting. I agree that this seems like a Plex security issue at this point.

No, you absolutely shouldn’t need to implement a PIN. Hopefully someone at Plex will find a solution.

Not to be an alarmist, but this type of vulnerability is almost CVE worthy in my opinion.

I am sorry this is happening to you.

I’m also a little concerned that it’s been a week since anyone from Plex has popped in here to check in on things…maybe try @ ing them? They were asking for logs then effectively buggered off (sorry to call you out).

To be fair to Otto, he replied 8 days ago and then I didn’t respond to him until today. So, the delay was on my side and not his.

While that’s fair, given the information provided in this thread and the potential implications, if it were my platform, I’d be touching base and checking in.

There was also a reply he was poked in the next day.

Plex can’t see your roku account so if the user is connecting through your roku account, you’ll need to contact roku to have it permanently removed from your account.

Alternatively, do you use plex home and share with another full plex account user? If so, they may be connecting through that account then switching to your account since you don’t have a pin.

I have confirmed that there is no such device in my Roku account that no such device still exists in there. It DID exist at one point. That was confirmed after Otto responded, but that device was kicked from both Roku and Plex. I did not change passwords on either account, but both have MFA on them and the user is not getting past that.

It is possible that removing the device from the Roku account didn’t log them out of Roku, but that has never been my experience before. When I have done that before it kicks me out of Roku and forces me to setup the device again.

I do use Plex Home, but do NOT ;share with another full plex account. It is just managed accounts for myself and my immediate family. I do not use the home admin to watch media; only to manage Plex itself.

UPDATE: To be sure about Roku kicking me out, I just did it on one of my TVs. I was signed in to Roku and also made sure I was in Plex. I kicked the device from Roku and POOF, I was signed out of Roku. So, if it WAS tied to my Roku account, they should have been kicked and not able to get back in to it.

Provide the server log next time you notice. Will need to see the start of the connection.

Ok, so I think I figured it all out thanks to Otto’s suggestions. We will have to see, but it seems likely that the root cause has been found. I have an audit policy running on my firewall now to see if the rogue device connects again.

TL;DR version: A TV in our guest bedroom was logged in to Roku with someone else’s account.

Long version: Given the way Otto said Roku works with authorization to Plex, I started looking at all my TVs/devices to see if I could match the name of the device to Roku/Plex. In doing so, I found that someone else’s account was used on one of our TVs for Roku. That means that every time we authorized that TV on Plex it was allowing that whole account access. I even confirmed that was the behavior of Roku devices after finding this.

Once I realized that was not our Roku account, I factory reset that device. I then went in to Plex and reset the password and kicked off devices again. One thing to note is that checking that box didn’t remove everything from Authorized Devices in Plex. I have had this issue before and noted it either in this thread or the Discord thread. I manually went in to Plex after reclaiming the server and removed most devices. There were some that I knew exactly what they are, so I didn’t deauthorize them.

After doing that, I went to Plex on our main Roku TV and logged in to Plex there. Required me to authorize it (QR code to login and MFA prompt). After doing that, the next Roku device I went to for Plex did NOT require me to authorize or MFA. It just connected right to Plex without any login prompt or warning. I confirmed this on a 3rd device. All 3 devices (the first explicitly authorized and the 2 implicitly authorized devices) then showed up in Plex Authorized Devices.

This is confirmation of what Otto was saying about how Roku is account-wide Plex authorization for all devices. This ALSO explains a rogue device. Every time we re-authorized that guest room TV, it authorized for that whole rogue account.

So, I get HOW it is happening, but what I don’t understand is why Plex is allowing this. This seems like a security issue to me. I understand Roku wants to make it “easy” on their customers, but Plex should have security built-in to prevent such a thing. Obviously, it’s a feature request and may already be on the Plex roadmap.

At this point, I think the issue is resolved. I am going to mark Otto’s answer as correct even though I think it needs more context. Still, he was right. Thank you to everyone that responded and helped. I really appreciate it.