In the past, Plex has sent out these emails in batches, so as to not overwhelm their mailing system, and password reset system. I remember people having trouble resetting passwords in 2022 because it was under so much load. I would guess that this time they’re trying to spread that load out a bit across their mail system and password reset system. Having millions of people hit it at once would be quite the strain.
I am very curious what Plex intends to do about the terrible user experience when resetting passwords. Everyone has been freshly punished again with this breach.
I for one will be hesitant to click that button next time. Apparently signing out of all devices does not sign out, it leaves your devices in a half signed in state in which you cannot reasonably recover. (this is what happened to me at least and it sounds like a lot of others.)
You can either screw up and recover gracefully or not screw up at all. Please pick one.
I wish I could say that the mentioned data in the official announcement would be the limit of the breach but I suspect it isn’t. The phrasing is only that the information includes the named information, not that it is limited to it. So I agree there is more to know - but I don’t think we will be told it. Plex is an awesome product but I have moved away from it exactly because I don’t trust them with my data. In particular if there was a buy out which I think is on the cards. I haven’t deleted my account yet because I wanted to be sure of my decision and the subsequent deletion of a lifetime pass, but I have been surviving without it for some time now. The thing is that even if I delete my account that doesn’t mean my data is deleted either.
I just got the email.. well better late then never.
I am sorry but until Plex gets it ■■■■ together. I recommend people look for alternatives.
Anyone else not receiving an email from the password reset? I tried it yesterday and today but nothing?
Yes I sign into googles servers to use googles servers.
With Plex I sign into Plex servers to use, the server that is hosted on my LAN and does not require WAN routing.
Auth could be implemented entirely client side so you don’t need an Internet connection to use it for instance.
It’s a slow rollout of emails. They can’t hit millions of emails at once it would be too much strain.
I mean if you want a completely offline plex that’s not claimed or logged in you can. It’s just not going to have some features like plex pass hw transcoding, tonemapping. It won’t have remote access without using a vpn tunnel to bridge into your network.
Cool so we agree. Both Google and Plex require credentials to login and specifically in relation to this thread, credentials are shared.
None of the rest of your response relates to the topic.
I guess the other important thing Id like to know is if the database also contains hashes of old passwords. Are people that reuse passwords going to have to worry about password that were not currently in use by plex? @dane22
Yep I have the same thing changed my password and now Plex cannot see my server - I have installed the server 3 times now and I seem to be in a doom loop. Totally frustrated and dont know what to do - I have also tried uninstalling everything server and app and starting again - same problem. Wished I had not changed my password now. And yes at some point plex said login and just wanted my email address and never asked for my password. It seems everything is screwed up now. I am guessing something has really screwed up judging by this thread so I’ll uninstall everything again and try again in a week or so.
I had the same problem. This is what worked for me yesterday:-
- in the browser, go to: http://192.168.0.10:32400/web (where 192.168.0.10 is an example local LAN address of your server)
- You should then be able to re-login
- Note warnings the server is not claimed and is not secure
- Click the button to “reclaim” the server. Hey-presto!
Try this?
So, another hack on top of the hack they also had in August 2022. Did they learn nothing!
Oh was it by the same attack vector ?
Any more info you can share ?
ps - I’ve been around with Plex since 2012/2013 btw and have seen a few attacks, most unsuccessful. I’ve never had any concerns TBH. Even moreso the last few years with improvements to general security options, not just within Plex. At least the port probes have gone away thanks to some local changes I made. Plex provides all the info I need but it seems others need more.
As for ‘what now’, everything operating as usual with my server and clients. Very little downtime. The incident even prompted me to clean up some other accounts and migrate them to non password logins
This helped me: https://support.plex.tv/articles/204281528-why-am-i-locked-out-of-server-settings-and-how-do-i-get-in/
Specifically I had to edit my preferences.xml and restart the container - followed by feeding it a new claim token.
I don’t think the recent cve vulnerability plex had is the same problem they had the other day with the data-breach. Maybe it is, if so oof. But more likely something else and people are just putting the two together in lieu of any official post mortem.
That’s the FINAL STRAW PLEX!!! you clowns not only ruined a once adequate app and user experience, you got greedy, took a page from Sonos’ “how to ruin a once good company”, and now exposed us to not only 1 but 3 major security lapses with little to NO support, and poor explanations.
We’re not alone, just check the RECENT App reviews on the Apple Store. We’ve been PLEX fans for over 10 years and now have DELETED all iOS, WINDOWS, and NAS apps and servers. This poor excuse for a leadership team has screwed the pooch royalty and you don’t deserve another dime from anyone! Gone to Infuse (free version) + HDHomerun for DVR solutions. “Don’t let the door hit ya where the good lord split ya!”
Was a subtle respone to the inflammatory post 
This stuff happens but when peole jump up and down and think the sky is falling really aren’t aware of how common this is with all software. A lot never gets reported to the enduser.
Still, if it worries people and they prefer to go elsewhere then go for it. Good luck.
I’ve changed the password in my password manager before I realized that one needed the old password to use the web app to actually set the master account password.
I do not ever get an email message containing a link with a token as a get parameter. The plex.tv/reset page does NOT work.
Since my Plex server is now effectively out of control and is exposed to at least some degree, I’ve no choice but to dump it and use something else. At least I never paid for the silly thing.
