Suspicious New Device

Today I got a notification on my phone that read: New Device
Popupkiller used a new device to access : Safari (Safari)

I don’t own a mac, or any apple product, and therefore don’t use Safari, so I immediately did a password reset, and booted all devices at the same time.

Some hours later, I noticed the same message pop up. I thought this was strange, so I went to my server and checked the devices, and no new devices showed up around the time the notification popped up. And no Safari devices were listed.
Nor had I received any e-mails today at all about a Safari browser logging on to my server.

What’s going on here?

Did you choose the option to sign out devices as well? Changing the password only prevents new devices from connecting. If something is already connected, changing the password doesn’t disconnect them.

Before doing so, verify that your email address hasn’t been diverted.
https://app.plex.tv/desktop#!/settings/account

Do also verify that you are not on this list: https://haveibeenpwned.com/

I’m sorry. I should have been more clear, but that’s what I meant when I wrote “booted all devices at the same time”

Shouldn’t that boot all devices from here as well?
https://app.plex.tv/desktop#!/settings/devices/all

Do you have ‘managed’ users with Apple devices?

The e-mail address I use for my plex account is not on that list. A variation of it is, so it could have been a guess based on some knowledge of how gmail works, but my password is unique. I use different random passwords of 12 or more characters on every account of mine. And how would they even get my new password that I just created without doing a password reset.

My e-mail has not been diverted, as I got an e-mail after the first password reset, telling me that I had logged in from the expected browsers. I also double-checked my gmail settings to make sure. Nothing there.

Not that this is what happened, but it is possible. A keylogger, on whatever device you used to change your password would give them instantaneous access to the new password… This is rare however, and may not be what’s going on, just saying it is possible…

I feel like if that was the case, the device should have showed up under Authorised Devices, but it doesnt.

I got one of these today on my phone too. Android phone with the Plex app:

New Device
“[my Plex username] used a new device to access [my Plex server’s name]: Safari (Safari)”

There is no way I’ve been leaked or hacked, this is a brand new Plex server I installed on a brand new machine in the past 24 hours. I’m the only one that has access to it.

I checked the logs, and it was an IPv6 address that seems to be coming from Facebook?:

2a03:2880:30ff:f::face:b00c
2a03:2880:30ff:6::face:b00c
2a03:2880:30ff:a::face:b00c
2a03:2880:30ff:70::face:b00c
2a03:2880:30ff:15::face:b00c

I also see 2 lines: a REQUEST and a COMPLETED for a GET /?fbclid= followed by a very long hash.

Doesn’t matter if it’s a new server or not. If is was a leak, it would have been your Plex account info. Are you using Tautulli and enabled it for remote access? There is a some sort of security setting that you can and should enable. Without this, someone could gain access to Tautulli and then get your Plex account info.

Here is a link to some more info on this issue. Unauthorised Access to Plex Sharing - #4 by OttoKerner

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.