So, a hacker gets my account info. What info would they actually gain?
I understand they could change my password. It looks like they could change the email address, too. I imagine Plex would send a message to both “new” address and old/current address confirming the address change…?
I don’t have remote access enabled, no linked accounts and I am not (knowingly) syncing across all devices. Would someone gain access to my local server with hacked user name/password? What would they get at?
Going back to changed email address and password: I have a Plex Pass - Can I contact Plex with a report of changed account info to re-establish my Plex Pass link to a new Plex account and email address?
I don’t think hackers have access to our accounts. Like most sites nowadays, Plex only stores a one-way hashed version of our passwords. When we enter our password on the site, it does the same one-way algorithm to our newly-entered password, checks that THAT matches the hash they made of our password originally. If they match, then you entered it in right. So, with the hash, they cannot access our accounts without knowing the password itself. Without being able to login, they can’t change account info such as email address.
Theoretically, knowing the hash of your password, someone could attempt to run every possible letter/number/special character combo through, to try to generate the same hash that they see on your account. This is called brute forcing, and it is very difficult to pull off. And then, it’d only work for your account, not anyone else’s, so it’s not likely to be worth doing, as by the time they manage to brute force it, you probably changed your password.
As for access, as long as you have remote access disabled on your end, they could not ever get into your computer/server to mess with any server-side settings (or delete files). The worst they could possibly do would be to de-authenticate the server, making it so you cannot access the server easily.
I don’t see any reason why Plex couldn’t allow you to make a new account and “gift” it a plex pass, deleting the old account (if you want to go that far). Seems a bit much to want it, but
Suggest you contact them before making any account changes. Click on Billing Questions at the bottom of the page.
Also, maybe wait a day or two. Their systems are slammed right now and struggling to handle all the password reset requests. Even if they had the manpower to respond to your request, the systems may not let them do so right now.
If you have not already changed your password, do so via account settings: https://app.plex.tv/desktop/#!/settings/account. Scroll down to the password section and click on Edit. There is no need for an e-mail as long as you know your current password.
Do not try to enable 2FA, as that requires an e-mail from Plex (if I remember correctly), and that system sometimes takes an hour or longer to respond today. Give things time to settle down, then, if desired, activate 2FA on your account.
Thanks for the replies. I was just kind of thinking out via keyboard. No issues here that I am aware of. I already changed password, but had to wonder how bad this could have gotten in a worse-case situation.
Problem is, I don’t remember what all info I provided. And even if I did, I’m not sure what all info could have been available to grab.
If the hacker has a Plex account and also “stole” their own info, they know their password and have the hash to form a template. They’re part way home to figure the rest. I guess, one could look at any account that used a really long password that includes most ascii characters.
Just fyi - my account was compromised.
Plex did send emails about the data breach and new logins - sadly they were flagged as spam.
Approximately ten hours after the email informing me of the data breach I had a new login from Australia. Two hours after that there was a new login from Russia. Fortunately the only change I have been able to discover was the addition of a new user added to my friends list. User name was “frostkyro” if any Plex employee wants to look into it. IP address indicates they were accessing content from the Philippines - though I’m certain all of these addresses were spoofed.
I had previously used a very insecure password so it does not surprise me that it could be brute forced. Two factor is now enabled and password has been strengthened. Please update your own passwords and if you happened to see a “new login” email - check your “friends” to see if you’ve made any new ones.
Did you use the same email/password combo on another service, which had been breached? It’s quite likely they already had your email/pass combo from another site breach and just tried it on Plex since the list here had our emails.
This is entirely possible and I apologize for neglecting to mention this in my previous post. I certainly didn’t mean to imply the issue was entirely on Plex’s team - only that some information was made available and it had been used.
