Can you quote anything anywhere that says “our entire database was stolen”? Because you referenced reading both an email and a post, neither which say anything close to that…so…
Let me guess your next comment is “now that I might have been compromised I added 2FA”
As opposed to who? The trillion dollar Google that just had a breach? Or Cloudflare, the company that helps run a vast majority of the internet? Microsoft Or the United States government that had their entire telecommunications system breached for years? “Clearly” lmao. I think you have a deep misunderstanding of what “security” means. If you want you (and your products) to be fully secure than throw them in the ocean and go live in the woods.
I followed the instructions and changed my password.
But when I log in again, I get a suspicious message from my password manager.
(An embedded page at app.plex.tv says The from is hosted by an different domain than the URI of your saves login)
This is the first time I’ve gotten this message. Why isn’t this explained so we know it’s safe to log in again? This kind of message after a hack doesn’t inspire confidence.
and What if the two-factor master key is stolen? Then they can also use the two-facter.
As of 2022, Plex was salting, peppering, and hashing with bcrypt. I don’t know if that has changed since then.
Source: I worked at Plex until June 2023.
Could you please address the misinformation directly? These are valid questions that merit clarification. The current response feels insufficient and leaves concerns unresolved.
After what you copy/pasted the OP wrote “Maybe. Maybe not.”. He is addressing the usual way Plex react to these problems, not providing and exact picture of what happened. So maybe everything was stolen, maybe nothing, who knows? Maybe you REALLY HAVE to reset your password, maybe you don’t really have to do it, who knows?
That doesn’t change anything. “Maybe, maybe not” is not at all what has been clearly communicated. It’s just added nonsense, just like what follows. It doesn’t change the fact that the whole rhetoric, if there is even such a thing here, stems mostly from an initial wrongful assertion. Now you are free to speculate as much as you want. Seems like nothing can satisfy you, given where you are coming from.
As of 2022, Plex was salting, peppering, and hashing with bcrypt. I don’t know if that has changed since then.
I wish they had written that in the disclosure statement, that would indeed virtually close that attack vector and makes attacks like credential stuffing the real threat here.
I also wish that they explained why both changing the password and signing out all existing devices mitigates the risk from the breach - have device tokens, api keys etc. been compromised that would allow bypassing login requirements?
In the security notice, it mentioned that “authentication data” was included. This makes me think that there is a chance that tokens may have been compromised, which is why changing passwords and signing out devices may be required.
So I changed my password and can logon in Chrome and Edge on two different PCs and my mobile phone. All are currently on my home WiFi.
Unfortunately neither PC can see my server. I get “[Servername] is currently unavailable”
One further observation: when I logged on in each browser the first time after changing the password, with a password, I was initially taken to a different page - with a login button at the top. When I clicked that, I was then able to log in using just my email address - I wasn’t prompted for password.
Seems to be some sort of server authentication issue - but not affecting the mobile app - anyone got any ideas?
I received an email, supposedly from Plex, about a potential security incident. The email address is: hello@mail.plex.tv. Is this email legit? I think the username “hello” is unprofessional for a company. That’s why I became suspicious. I´m afraid that link to change password could be the real security breach!! can you confirm the email is legit? Thanks.
So are everyone affected or is it just select people? Will the email come regardless of being unsubscribed from newsletters? Is it tokens or database records?
“limited subset of customer data” can easily mean: “some customer data, but from every customer”, but you seem to be taking it as “some customer data, from some customers”.
But it’s fairly clear they don’t know. Or are choosing not to tell us.
This is when I get annoyed, Plex’s response is vague and doesn’t give me enough information to make any kind of informed decision.
Uh, I’m more hell bent on the American credit bureaus and how they managed to screw everyone with their very own subpar standards to the newest of low’s. Out of everything that Plex Inc. has done, changing passwords again is a nonissue for most. If you were sinking your teeth into Plex for their UI flaws, then you’d get more support for your keyboard warrior rage.
IT Security is a never-ending issue. I think Plex Inc. does a fair job than MOST top corps about this. YouTube still doesn’t allow pin codes to prevent others from switching into your YouTube or YouTubeTV accounts, but Plex has that.
HELP, I changed my password as suggested. I can sign-in to the Media Server, but it can no longer find my content (media server) even though it is on the same computer. I’ve followed the instructions in the article (which, of course I can’t find now) to remove four lines from my registry (yes, I use Windows) and I still can’t connect to my server.
