A new user suddenly appeared under “sharing”. Never invited, never accepted, didn’t share any libraries, didn’t get an email notifications.
But some how this person got into my shared users with access to all my libraries.
Donno how they did it, but there is a security hole that needs to be investigated.
Currently there is no way to stop new users joining.
I wanted to warn everyone to check there shared users.
Can you PM me the username or email of this user?
you’re not the only one. I just checked my list of users in Tautulli and sure enough, same exact user appeared on my list. There wasn’t any history associated with it; but to be on the safe side, I purged the user and deleted the profile. Are others having the same problem?
So Plex has a security hole they need to plug
I didn’t delete him I just removed all shared libraries. If I deleted, he might just come back.
Okay getting worse now, someone just used my account (that is pin coded) to watch something.
In top of that my dad account was accessed to watch something on my Plex account last week.
Plex you have a major security breach here!
Are you using a reverse DNS server to access your server with a custom domain name?
Duckdns,
I’ve just changed my password and re-signed in. Plex displayed a pop up stating “this server was unclaimed” so I clicked “claim”
Let’s see what happens…
I am not familiar with DuckDNS.
Does this mean that your server is running in a datacenter? Or is it at home, in your home network?
Homes server, duckdns allows me to have my dynamic IP fixed to a fixed DNS name.
By home server I mean a Windows machine that’s always on linked to some large NAS’s.
I host more than Plex on this server.
Thank you by the way for your replies, anything you need just ask.
Was it from a mobile device? The mobile apps require signing in with your account info and does not need the PIN unless you change users or after the initial sign in. If this is the case, then that person may have your Plex account password. Or, if you’ve linked a Google or Facebook account, they may have access to one of those and are signing in that way.
That’s not clear. Do you mean someone else used your Dad’s account or somehow your Dad accessed your server and you hadn’t shared with him.
Yes it was from an iPhone that he accessed my server from.
So me and my dad share our servers. I’m a user on his and vice versa.
After I seen him watch something that was out of character, I called him only to find out it wasn’t him. I traced the IP to what I can only guess was a VPN tunnel, it’s random throughout the south America.
Assuming my account was hacked - plausible. How come it wasn’t locked after a series of unsuccessful logins, or why didn’t I get an email if attempted login. Or better yet, an email of a successful login from X ip/location.
Can all accounts be brute forced?
From reading above, a few accounts might have been brute forced?
Right, so this person might know your Plex password. Have you changed your password recently? Make sure to check the box to revoke access from previous devices otherwsie they are already authorized and you changing the password would only affect new devices.
Are you set us with Plex Home and is your dad a member? If so, does he have a pin? It’s possible the person started with your account then switched to your dad’s to try and throw off the suspicion.
I’ve been told, there weren’t a series of unsuccessful logins.
The PIN yes, it’s only 4 digits. Your Plex account password, no. We do put blocks after a number of failures, but there were no failures in your case.
It does indeed look like my account was hacked, but reading above that same user accessed another Plex account. So there could be a vulnerability somewhere. I find it difficult to believe he guessed my password without trying a few wrong attempts.
As a feature request, maybe do as Google does. “New login notification” email with the application used and location.
I’ve already reset my password, you can see my comments above on that one.
When you reset the password, did you chose the option to “Sign out connected devices after password change”. If this person already authorized a device, changing your password doesn’t revoke access unless you enable that option.
I did indeed, also removed him from the authorized devices and kept his created user but removed all shared content.
Same thing happened to me. At first one person which I deleted, A week later found 2 more that I also deleted and today found a number of people listed as sharing and more listed as pending. Not happy.
I do think some investigation is needed on this front, Plex.
All these can’t be a coincidence.
