Auto generated username made my legal name public without my consent! This is a serious oversight on user privacy and could cause serious legal problems in EU.
Fixing a gaping security and privacy hole is anti-user?
No, the change itself is fine, but if you work in IT you know that making direct changes to user accounts without plenty of advance warning is a horrible idea. An explanation for the change should have gone out to all users before the change happened, to prevent as much confusion as possible. All the upset and confused responses here and on other sites is the direct result of that lack of advanced notice.
Just as an anecdotal example, I already had a username so my account didnāt change at all, but almost all of my users did and they donāt have custom icons or anything so it suddenly looked like I had a bunch of unknown new users on my server. Quite confusing since I had no notice myself that this change was coming.
What they need to do and quickly is give us an opt-out to the āGrant Library Accessā search option.
Agreed, but Iād go a step further and say it should be opt-in instead. The last thing Plex should be trying to do is try to become a social media site.
Iām very confused because Iāve had a user name since Plex began. Now I have an email that says itās been changed (uh, why?) but itās still showing my old username. Iāve NO IDEA wtf is going on.
Same as aboveā¦ you probably created a different account at some point. Check the exact e-mail address to which the notification was sentā¦ itās probably different from the one used in your regular account.
1 Like
It did not make anything public that wasnāt already public. If your legal name was in your email address and you never set a username then it was always visible. If anything this change made a shortened version of the left side of your e-mail with a few numbers.
Sorry to be the bearer of bad news but thereās a whole lot of people here in this thread that donāt know any better.
1 Like
I find it deeply upsetting that Plex would unilaterally implement usernames on accounts with no warning at all and no options to avoid these unilateral changes to user accounts. I will certainly no longer be recommending that anyone else I know pay for a Plex subscription or a lifetime Plex Pass.
You already had a username. It was your e-mail address and it was public. Now you have a dumbed down version of your e-mail address which canāt be used to do a multitude of nefarious things. There is ZERO reason to even scoff at this decision.
If you donāt like the username feel free to change it.
But we already know this isnāt your REAL Plex account now is it?
2 Likes
If your assertions were true, then there would have been no need for the unilateral change. You obviously have your own issues you need to deal with considering your personal attacks against others. Pretty sad.
Every one did have a username it was set to your email if you never changed it when your account was created. It was changed because like this forum it could be seen.
If you scroll up in this topic and look at the usernames of those who posted you will see multiple folks who never changed it. The forum software will remove the @ symbol and special characters but it is still obvious.
Itās hard to believe how little it takes to get some wrapped around the axel.
Itās almost as if weāve run out of important things to worry about.
2 Likes
Very bizarre change, speaking as a security professional. Not sure why you thought it was a good idea to increase the attack surface for all users
If a user doesnāt use the āAllow username to be used when signingā option, I donāt think it actually increases the attack surface in any material way, though. No?
Good point @Tion1 . But I didnāt even realize that option was there and it was enabled. I would imagine that is the default setting as I canāt imagine having enabled a setting which I didnāt know existed.
for me, it was enabled by default
It does seem to be enabled by default. Good catch! Itās something that should probably be āopt-inā instead of enabled by default.
If I had to describe this thread in one word, that word would be myopic. Plex could have communicated this change better, but it was absolutely the right thing to do.
1 Like
I completely disagree with this statement. Not only is the way it was worse it also has a larger attack surface than the change.
When you have somebodys e-mail address you potentially have a platform to attack that could be directly linked to a persons whole life where as now itās limited to just Plex.
Having an e-mail address gives an attacker an unlimited attack surface. Not only can they attack the Plex account. They can now also attack the e-mail provider and any other service deemed to be linked to said e-mail. A HUGE attack surface.
Can a person with ill intent now try to login to a Plex account with both a username and an e-mail? Sure. But itās always been this way for most users. It doesnāt change the probability of attack success. We know the username and/or e-mail anyways with the way it was. Now a user can definitely only allow login by e-mail instead of username so it actually DECREASES attack potential.
Should Plex force a default for new users to allow e-mail login only when not using 3rd party login? Probably should. Iām not sure if itās default when signing up but it should be and then have an opt-in for username login. This will largely decrease any attempts breaching security.
Also set up that 2FA using a password manager or Yubikey.
2 Likes
Youāre misunderstanding what I mean by āattack surfaceā. Yes, I do agree that having an independent username login is probably better, but now each user has both their username and email address that can be used to access Plex. Typically, when we discuss āattack surfaceā, we refer to the application at hand, and not the general risk. In my line of work, we call something like an exposed email address a vulnerable asset, which introduces further risk to the user. And you are completely correct in your assessment, I donāt disagree at all. Apologies for the confusion, I should have clarified what I meant.
You can think of the āsurfaceā of the Plex being the login screen, and Plex has increased that two-fold for my users.
Now the risk is how the usernames were generated. All of my users now have the same number of letters + a few numbers, which has made it drastically easier for a potential attacker to guess a username.
Iāve already instructed my users to disable logging in with usernames, and I also force them to use 2FA for their accounts, so thatās taken care of. I mainly worry about people who do not have this knowledge.
2 Likes
Thanks for your input here as a fellow security professional, it is good having a like-minded person being subjective on this thread!
Just remember this exposure is not only on the login screen, but in the āinvite a friendā section too, where all accounts are discoverable, so as you say, the āattack surfaceā extends beyond just user logins.
1 Like
