So Plex was hacked, what now?

So plex just had it’s entire user database stolen from them. Maybe. Maybe not.

So reset your password.

But they aren’t going to make it manditory.

So just what happened? Who’s the “unauthorized third party”?

All explained here. Please read it.

Important Notice of Security Incident - Announcements - Plex Forum

Oh I disagree, I read the email that was a copy and paste of that post and in fact all was NOT explained. In fact very little was explained.

So little that there’s some major questions now, such as “are the plex people trustworthy, should I even be continuing to use a service that demands more personal data, only they seem to be unable to secure it?”

So no good sir JohnAlex, all was not explained.

Plex has a great deal more to explain. Significantly more. For example for starters:

• What exactly happened?
• How did a “unauthorized third party” exflitrate your entire account database?
• Who was this “unauthorized third party”? Random hacker? Unhappy ex-coworker? Intern? Contractor? Could be any of those people!
• Just how much of your account database was stolen, but I am pretty sure they don’t know that, they are careful not to say that, but it also is easy to read between the lines.
• What is being done to fix this? Future variants of this attack? Other attacks?
• Are they going to fix their product prioritization? Clearly they haven’t spent enough time on security.
• When/where can we read the postmortem?
• If the security breach is so bad you recommend changing passwords, but not bad enough to require that… just how bad was it exactly?
• In what ways is plex going to be taking responsibility for this breach?

So yeah, there’s a lot unanswered.

Already I can see that changing your password ■■■■■ your plex server over, and requires some annoying extra work to reclaim and etc. So I think I will avoid doing that extra work until I get better answers from them.

There is so much misinformation in your post that it just isn’t worth my time to respond in detail.

Do or don’t make the change.

I did and it was simple as it will be for most. Some will have issues due to configurations for the most part.

Also if you don’t update to the latest server version, remote users will not be able to connect anymore. As Plex mentioned.

Frankly, Plex have done far more than other vendors I use in terms of security breaches. A very large company locally still refuses to admit a breach 3 months after the event but are being forced to do so by the government.

Plex notified me via email and this forum. They requested a password change (if I use a password. I don’t but I changed the old one anyway. Most of my apps and sites are now 2FA/MFA/authenticator or passkey) and a server update to resolve the issue for the future. They also gave me the information I needed about the issue. No doubt more detail will come as it has in the past but I have enough for now as will most people.

Good luck.

Hello Dear JohnAlex,

Could you please specify what exactly is “misinformation” - you cannot just throw wild accusations around like that without actually providing some argument. Not everything you disagree with is “misinformation.”

I’m not really sure what the non-sequitur of “other vendors” is all about - if anything that’s the real mis-information and mis-direction. We don’t give Plex a pass because “a very large company locally” has done worse.

For whatever it’s worth, my yardstick here is google cloud. They publish comprehensive post-mortems in a timely manner, and offer decisive and meaningful security guidelines. They also take monetary penalties when their published SLAs are violated. Oh yeah and all this for mere outages, they haven’t had any significant broad-scale security breaches like Plex just did.

So here is what I am reading from they said, and more importantly didn’t say:

• Someone hacked their internal account database
• Some amount of user data was exfiltrated, but they do not know how much.
• Sounds like they don’t suspect all of it.
• They’ve made a cost-trade off to NOT reset passwords, probably because they know embedded servers are difficult to restore, as seen by forum posts with synology plex server installs that are not trivially recoverable (total database reset in one case looks like?)
• But still, some passwords were exfiltrated, but which ones?

So we are left with a high cost password reset which we are to undertake on our own responsibility, which could easily brick your plex media server, but they aren’t forcing it. Aka they’re refusing to take responsibility for the hack.

Just because you have terrible vendors at work Sir JohnAlex, doesn’t mean Plex gets a free pass.

I am very interested in hearing when this access took place. How long did the attackers have access? From what dates to when? I have several family members who created accounts very recently who are elderly and live in other states, so I want to avoid resetting them if at all possible.

If I already have Google 2FA does that include us?

To begin with, first thing you wrote:

Never such a thing was communicated. That is the statement:

That wrongful assertion of yours alone already says enough, so I too will not waste my time responding in detail to what follows.

So my main account was hacked and the email address was changed so I can’t get access to that account. What do I do now?

Contact | Plex

Contact Plex immediately. This has been the process for many years as they can return the account to you.

Edit - I will offer though that your issue is unlikely to be related to the current issue. Passwords were salted and could not be used to hack an account. It is possible your system, or password was compromised by other means ?

Definately consider 2FA in the future. The sooner we get away from passwords the better.

I missed this… it was not in the email or the forum announcement. Are you referencing the mandatory server upgrade that coincided with the “new experience?”

Plex Media Server - Security Update - Announcements - Plex Forum

Ahh, thank you. My version does not fall in that window, so that explains why I didn’t have any disruptions in friends connecting, but now I know!

I had no issues in that regard either wrt server version as I am on beta.

However, I did have users with access issues as I reset a server password just in case. I use 2FA so not important but I prefer to update passwords anyway.

All clients have now reconnected, just took a little time with authentication server loads.

Was also a good time remove old clients that were logged on that are no longer used.

Can anyone tell me if i need to do anything with respect to the fact that i have logged into plex with my Apple account on the login page at times in the past.

I usually use normal password and email login but have on rare occasions used ‘login with apple’

Have changed passwords and added 2FA already just need to check on this one last potential issue.

Could you clarify when exactly this occurred?
Additionally, have you sent a direct email notification to the individuals whose information was compromised?

I’ve not received an email, and the only way I found out about it was from Reddit pointing me here.

I agree with others that their wording in the announcement is pretty vague.

No mention of dates, or how many details were stolen.

Not a great response so far from Plex.

Sounds like it might be a small subset of all accounts, not every one. I got an email on my primary (older) account, but not my test account I made 2 years ago.

Edit: A day later, I got an email to my secondary account.

The keyword I’m missing from this disclosure is “and salted”. What the heck is “best practices”? Unsalted MD5 hashes were “best practices” once upon a time, but that’s only marginally safer than plain text.

The issue is covered here by CVE NVD - CVE-2025-34158 and is a transfer between spheres issue. It has been fixed in the latest publicly available update. However, my problem is that I cannot update my password, as the Plex system keeps rejecting the offerings from my password generator as invalid. Now this normally means that the password is deficient, but those from the password generator are not. The second reason a password is declared invalid is because of poorly written password checkers at the server end; usually that they only accept a subset of non-alphanumeric characters. I can’t find any information on Plex’s handling of passwords here or in the help files. Can it cope with all and any such characters or not?