I have used the "Sign in with Google” Option to set up and use my account. I have no password set up on my account.
Concerning the potential data breach,
Do I need to take any action?
3 Likes
I’m asking myself the exact same question.
If it is implemented correctly, then there should be no password, only the SAML Token from Google which is refreshed on every login and therefore no need to reset the (as in the GUI stated not existing) password - only Plex has to update the app token with Google. I hope it is implemented as it should be, because I do not want to manage another password when there is no real need to do so.
To be safe I re-registered my server, because I don’t know how that connection is implemented and I assume it uses a more-or-less static token (similar to a twitch stream key) to connect and that could be part of the breach. At least it does not hurt to do so.
To be really sure what to do, a statement from Plex according to our “special” case is needed, because it depends heavily on how they implemented the SSO with Google.
This topic is also concerning me and an explanation, how this issue impacts the Google authentication, would be welcome.
If it is implemented correctly, then there should be no password,
Apparently it wasn’t implemented correctly since Plex staff has posted multiple times now that those using Google still somehow have a password here.
This is only the case if the Plex account was already in existence before it was linked to the Google account.
Initially, there were only regular Plex accounts. The ability to log in with Google, Facebook, Apple has only been added later.
And it is possible to link one or several of these “Login Providers” with an existing Plex account.
Let me make it clear that doing so will not remove the existing password from the Plex account!
None of the previous posters in this thread have a password on theirPlex accounts. Therefore a password reset is not necessary for them.
To be absolutely on the safe side and to prevent the misuse of leaked device access tokens, you could reset these manually.
https://app.plex.tv/desktop/#!/settings/devices/all does list all valid access tokens of your account. If you delete these, those devices will lose access.
You will have to re-connect these Plex clients with your Plex account.
If you delete the token of your server as well, you will also have to re-connect your server.
(note: if you try this with Plex clients in your local network, you could get the impression that revoking the token didn’t work. However, this could be caused by the server configuration “List of IP addresses and networks that are allowed without auth”. All clients with these IP addresses will continue to have access, because the configuration explicitly instructs the server to give them access anyway.)
2 Likes
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
