You are not signing in to your server. You are signing in to your plex.tv account.
But the password change has removed all devices from this account, including the server.
You need to “claim” the server back into your plex account.
See Unable to access server after password reset - #116 by OttoKerner
FIXED. I was opening Plex Media Server from a browser, but not from the system tray. Once I used the tray it found my server
@plex please stop editing Important Notice of Security Incident as it’s next to impossible to see what you are changing.
If you need to update it then please post a reply to the your announcement …
JohnAlex as far as I know isn’t a plex employee so your asking him questions he can’t answer.
Bad comparison. Google is a major company with dedicated security teams that comb for intrusions daily. The scale can’t compare for plex or most regular services. ■■■■ happens they’ll keep trying to do better. It’s like a random dude punching you in the face and stealing your watch. You can prepare all you want but until your confronted with the method they use to mug you it’s not known if your really ready to react.
That’s our ex plex employee for the win giving insightful info. 
That was a CVE for a known plex vulnerability. But it’s unclear if this and that incident are related with the theft of user login credentials.
This is a hilarious response from you.
If Plex didn’t do auth on their private servers there would have been nothing to hack.
The reason our data was stolen was because Plex insists on doing auth for our servers on their remote servers instead of the Plex server handling it locally.
Comparing this to google is ridiculous, Google is not a server I am hosting.
Good thing Plex made remote streaming a pay feature, there’s literally no risk of anyone ever accessing my server anyway.
It’s honestly likely safer if they do it then if general users do it. Most people are not tech savvy or care about security as such you’ll have users that potentially are more harmful to themselves then if they let plex handle it. Having both options is better.
Now if you want security don’t use windows. Use a dedicated hypervisor like proxmox put it in a VM + Docker or LXC container + Docker. You add additional layers of isolation or confinement to prevent lateral access from a vulnerable plex. If you want to take it a step further use another subnet and Vlans to isolate your network. And make sure your permissions are appropriately set. 755 directories and 644 files.
Additionally you can protect your plex using a reverse proxy and your own self signed certificates.
Install a security platform XDR&SIEM something like Wazuh.
There is additional measure you can take besides handling the authentication of your account.
something you sign into with credentials. The same type of credentials you use to log into Plex.
I dont think having parts of your account database ripped off twice in 3 years is “doing better than most”.
This is a fairly profound hack, someone got fairly solid backend access to an important database. That seems significant to me. This is, in theory, one of the best protected databases… or should be!
They sure have a long way to go, this is 2 password database hacks in 3 years. Apparently “trying to do better” forgot “… and failing at it.”
Seriously, 2 hacks that seem to be nearly identical. Did they forget to close the back door again?
There are several advantages to central authorization over individual authorization on each PMS:
There is far more than just this.
Close but I find ACLs to be much more reliable. No need to deal with umask or sticky bit issues. Instead set default ACLs on directories and all subsequently added directories/files have the necessary permissions.
And there will be many more like it. Its the nature of software development and online infrastructure. Unless your unplugged from the internet your more vulnerable that’s just how it is. Even if the vulnerability’s are similar I don’t know the conditions used.
Plex should have a better post mortem I agree, but full disclosure happens after everything they can do to insure that the issue is fixed has been done. That’s likely were the vague details come in, because they will clean house first but informing us is also important and they have done that.
That’s fair. My setup is a little different I let samba handle ACL’s, but the folders have set permissions. Anything new recursively gets set by samba. Then I set docker to have the media folder read only and the lxc container to be read only for the media. Samba can be accessed externally as the drives are on another NAS in another proxmox node in another lxc plus docker. So I have distributed storage lol.
Most people don’t have advanced setups.
If the passwords were securely hashed and I don’t need to worry about them being accessed, then why am I being pushed to change mine? Best practice? Because when I look at all the trouble people are having when they change their password, I’m not anxious to do it. I also haven’t been able to get the email from Plex verifying me so that I can even change the password.
That is my approach, even though I use 2FA.
I know my old password so didn’t need the email. Can all be done locally.
Some people have indeed. I had no issues at all other than a slight delay on some clients going back live but that was due to load I am sure.
Some configs will have issues but given the complexity of remote access and Plex server-client setups and all the various hardware that has to be taken into account, not surprising that some will have issues.
If you have 2FA set up then a password change is largely irrelevant. My password managers recent entries are full more of 2FA and passkeys than passwords these days.
If you have 2FA set up, and the password has not been used anywhere else, then a password change is largely irrelevant. Credential stuffing is alive and well, and usernames/passwords are probably already making the rounds.
I’m ■■■■ about entries in my password manager
Anyone stupid enough to use the same password elsewhere deserves what they get.
plex MUST finally implement local auth. It is ridiculous I cant directly access MY OWN SERVER
give me API keys and decouple the silly “claim” nonsense. I dont want an account and I dont want to use your janky oauth
