Plex: Important notice of a potential data breach

231 points by Flollop ↗ HN
Dear Plex User,

We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.

What happened

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

What we're doing

We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.

What you can do

Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password [here](https://support.plex.tv/articles/account-requires-password-reset/?utm_source=Plex&utm_medium=email&utm_content=reset_password&utm_campaign=sql_db_password_reset).

We'd also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling [two-factor authentication](https://support.plex.tv/articles/two-factor-authentication/?utm_source=Plex&utm_medium=email&utm_content=reset_password&utm_campaign=sql_db_password_reset) on your Plex account if you haven't already done so.

Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses.

For step-by-step instructions on how to reset your password, visit: https://support.plex.tv/articles/account-requires-password-reset Thank you,

The Plex Security Team

193 comments

[ 3.2 ms ] story [ 219 ms ] thread
This disclosure is no where to be found on their website or blog, and it provides no timeline, no details about the attack, and no details about what data was accessible beyond "a limited subset of data that includes emails, usernames, and encrypted passwords". Very very frustrating.

As of Aug 23 11:24PM PST, Password change page is sort of working, at times displaying error message "Internal Server Error. Something went wrong on our end". I was able to get my request through. Shortly after, a server instance started showing unclaimed status and reassociating it resulted in "Plex is down for maintenance \ Don't worry, it will be back soon \ status.plex.tv".

(comment deleted)
It appears the password change works fine if you deselect the "Sign out connected devices" box. [1]

[1] https://twitter.com/troyhunt/status/1562329358282285057

Mine worked fine with that checkbox on. However, I cannot get my home server to appear again, even after getting a new claim and restarting it.
This is exactly what I had happen as well.

I'm going to give it some time. I also even went through these steps (https://support.plex.tv/articles/204281528-why-am-i-locked-o...) without success.

It didn't work for me after restarting with a new claim and when i checked the preferences it contained `PlexOnlineToken=""`.

After removing the attribute entirely it was able to successfully reclaim the server.

I had the same "", but after restarting all the web interface says is Connecting. Then the server just doesn't show up in the list. <sigh> Might just need to blow up my whole config and reimport everything.
So a coworker suggested I try accessing my Plex instance by internal IP, not internal hostname. And that... worked. When using hostname, the way I always had for everything else, it'd show that I didn't have access to the server.
I got it claimed again after several tries. I suspect they are getting hammered by a lot of people doing the same thing (changing passwords)
Forgot my password doesn't work nor the settings screen password change. If you gonna ask all your users to reset passwords you might want to actually scale up to allow them to do that
This. And also if you know what "limited subset" of accounts were compromised, you might want to notify only the users affected, and reset the passwords for them.
(comment deleted)
> you might want to notify only the users affected

I believe they're doing that. I double-checked and got no email from them.

Thanks for posting that. I was about to get out of bed to change my password, but now I’ll let it wait until morning.
(comment deleted)
I'm sure glad they spend enough time securing the application and not developing silly features that no one wants. /s
I personally wish companies would encrypt email addresses in their database, this would at least help against SQL injection attacks and some others (e.g. attacker has only DB system access and not app server access), so it's more difficult for attackers to aggregate data on me. To me it feels very casual waving away the leak of email addresses and just give the usual "passwords were encrypted". But YMMV.
The difference between email and password is you can validate a password with a hash, but you can’t send an email to a hashed address. Their db may be encrypted at rest, but a hacker could still compromise a system that has the key in memory.
> a hacker could still compromise a system that has the key in memory.

Security is about layers. Simply because a hacker “could” do something, does not mean it’s a bad idea. Getting the encryption key when it’s not stored in the database requires the hacker to now have access not to just the database but to another system as well.

Invariably some developer would just store the key in a column next to the email address so they could process any transaction directly in the query.

But the hackers would have to know what algorithm was used :) That's a layer, right?

> some developer would just store the key in a column next to the email address

I think that depends on where you work. Process. Code reviews before allowing merge/pull requests can help.

This is an excellent point, but there's nuance to it.

This seems like an acceptable solution for email and a lot of other PII. However, if you were to propose the same thing for passwords, with the same argument, I'd be dead against it -- even beyond the total lack of need for the system to ever have the actual password. I'm not quite sure how to explain this, though.

There’s no reason a company needs to know your password. But they do need to know a way to contact you.
Encrypt the email in column, add hashed email in separated column. Email Sending would then be covered by a separated and "airgapped" system that holds the decryption key, if you need to send mail, you send the encrypted email address plus what you want to send there.

Now an attacker cannot get a hold of email addresses easily.

How would you tell the airgapped system what to send?
I used quotation marks on purpose, it is of course networked, but would be using different credentials to other systems and have a ingest-only API endpoint to issue mails with.
That's a simple and brilliant idea. I'm running with it.
This is a great idea. You could use public key cryptography too, so that the system adding emails to the db doesn't need the private key.

3rd party mail sending services could support this by generating a keypair on their systems, and only giving you the public half. When you make an API request to send an email, you provide only the encrypted version of the address.

Edit: The hashing is an issue. It's too easy to build a wordlist of possible addresses, to crack the hash. I think this can only work if you drop the hash column, and instead require users to log in using a username.

The hashing is an issue but you need to identify the user somehow when you do things like password resets.

The alternative is to handle everything by a username and password resets also use the username (which would be fine, worst case you get spammed by PW reset mails).

Though of course you can also combat this by making the hash particularly expensive and salt it. Simply take a SHA3-512 of the email address a few thousand times, take the first 12 bits and use that to identify a set of 4096 records. Now the full email is simply an application of Blake2sp, which you calculate in parallel for all 4000 records.

Adjust the 12-bit barrier so that it represents a decent sized chunk of users, lower would mean less load on the login service, higher would mean better anonymity. Instead of SHA3-512 you could also use a bloom filter to find out if a set of records contains the email or not, with the added bonus of being probabilistic.

You could also ditch Blake2sp for a simple round of salted SHA3-512. The fact that you salted it makes dictionary search insanely annoying already.

It seems to me that encrypting emails is either untenable or insufficient depending on how you do it. You could do a one-way operation like is used on passwords, but then you can't access the user's email address to send them emails. You could instead do a two-way encryption but that likely means using a hardcoded key to decrypt, and that key can't be considered secure if attackers have access to the system. There may be other more effective options but I'm no security expert and I haven't given much thought to other solutions.
If that 2-way encryption key is stored separately to the database (e.g. only the web server has it, not the database server), it certainly helps reduce the risk that the emails are compromised.
You're mostly right.

Hardcoding a key would be a bad idea. You would need some way to rotate keys. Maybe also encrypt the actual data encryption keys under another key encrypting key.

But this only defends against attacks which can't get that key (e.g. a SQL injection attack that just dumps table contents).

Having said that, you only need to decrypt if you want to send an email, for logging in you could just store a one way salted hash.

More importantly, this is a lot of effort to protect data that isn't usually regarded as that sensitive (unlike the passwords). If I had the security budget to do that, I'd almost certainly spend it on something else.

In the healthcare industry in USA, Personal Identification Information (PII)/Personal Health Information (PHI) needs to be encrypted at rest and in transit and is mandated by law. So, they are required to encrypt PII/PHI data fields.

Some of those practices may be generally applied for non-healthcare settings as well.

Does at-rest mean: encrypted on storage so noone can physically steal a drive or encrypted in the database so noone can get the information with SQL without the key (e.g. Postgres column encryption)?
Conceptually, yes. You can encrypt at the database/filesystem level (where the OS/DB engine manages the encryption keys and enforces access control), at a table level/column level (where the db engine enforces access control) or at the application level (where the application manages the encryption keys and they are separate from the database engine).

They serve different purposes. For eg: When a disk drive is faulty and thrown away, you may not want data to be recoverable from it. So, the filesystem level encryption helps there. A db/table/column level encryption helps when there are different applications (eg: transaction processing and analytics) accessing a shared database. Reporting queries may not need access to the sensitive fields whereas certain transaction processes may need it. In this case, db/table/column level encryption helps. When you want separation of concerns, you can add application level encryption (on top of the other two). Example: Your data is stored on the cloud and you don't want the cloud service provider to know the data or if they replace a disk drive as part of normal servicing, you don't want your data to leak.

This depends on the threat model.

To get nitpicky... (usual disclaimer, IANAL but I worked in health IT including heavy involvement in HIPAA topics earlier in my career) I don't think there's a requirement under HIPAA or HITECH to use encryption.

The relevant parts of HIPAA are the duty to not disclose PHI to unauthorized recipients and breach notification requirements if you do incorrectly disclose PHI (the HIPAA breach notification rule).

The magic of encryption is that HIPAA provides safe harbor if the data stolen/lost/intercepted was encrypted to certain standards. So if you lose an encrypted hard drive full of PHI, or someone breaks into your servers and steals encrypted data but not the decryption capability, then it's not considered a breach under HIPAA and you do not need to notify anyone.

Tons of PHI isn't stored encrypted at rest. Physical theft of the hard drive from the practice's back-end EHR database server hasn't generally been high priority on the HIPAA breach potential risk assessment list. But nearly all data in transit, on employee laptops, etc. will be encrypted, because that's where you want the safety net of the safe harbor provision.

You are right. The law mandates reasonable safeguards and one of them is encryption at rest/motion when deemed necessary by the covered entity (which is quite common in Healthcare).

From the HHS site: https://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-...

> Is the use of encryption mandatory in the Security Rule?

> Answer:

> No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

I was already skeptical of running plex on an internet facing port, this doesn't exactly reassure me of their competence.
If true, then this will probably reignite discussions around Plex requiring that you authenticate with their servers when using the service to view content that you're hosting on your own hardware.

If anyone is curious, then alternatives like Jellyfin exist. It's a bit different and may not have all the features you need, but it works quite well in my experience.

Perhaps the most important thing about Jellyfin is that it's open source. I really wish the project received a little bit more love.
Has an app for the fire stick too which works really well
They have done a great job, but ultimately I believe a tool like Go or Rust would work much better and the XML metadata format while standard is not very good. Would be nice to see YAML or even JSON. Kodi is my go to for the most part, but I will have to say Jellyfin is definitely more polished. It downloaded the transparent logo for the movie I was watching and displayed it so nicely when I started a movie. I remember Plex offering music themes when you were browsing a collection.. I wonder if Jellyfin does something similar already.
I also want to bring into light that Jellyfin is not very secure either [1], its sadly not in a great place to replace Plex still.

1: https://github.com/jellyfin/jellyfin/issues/5415

Most of these issues require a malicious user, right? I think none of them really are a problem for a friends-and-family instance (as long as they don't get their creds stolen obv). For a single-user usage, none of these really are issues, are they?
Driveby scans happen all the time. Mass scan take 15 minutes to scan the entire internet, for instance.
The middle of the list had a media disclosure without any auth via the image API.

That would mean running a publicly accessible instance would be ill advised if you can about the privacy of what you host. Plex on the other hand somewhat encourages publicly accessible instances, so you can listen/watch while not at home.

(The caveat being, certain plugins disclose media to Plex but arguably that's a first or second party not some rando on the internet scraping stuff)

As long as you're not opening JF up to the internet none of these are a real issue, so you're fine with a single person/house/network with trusted users.
To be fair to the Jellyfin team, it seems they inherited a lot of tech debt from Emby which they've spent the last 2 years chipping away at.

It might not be in a great place now, but I'm not sure that's necessarily a reflection of the product

I like Jellyfin, but I need the Samsung client to be finished first. At least it looks like it has been started: https://github.com/jellyfin/jellyfin-tizen
The build steps were a nightmare. That's mostly the fault of Samsung, but it was still very off-putting. Unless I was doing something wrong. It took me a couple full nights after work to finally get it done and on the TV, trying to set up Samsung's developer tools on multiple different machines. I dread having to do it again.
Does it work OK? Was it worth the effort?
Yeah it's been working perfectly for me ever since I set it up last fall (maybe it was winter, can't remember). At least half a year. I'd say it's worth the effort, but the process still sucks.

One of the things I remember making it real difficult was that the UI of Samsung's dev tools app assumes you have the default light theme in GTK (or whatever widget toolkit they're using), and since I had a different dark theme, I couldn't see any of the icons.

So then I switched to one of my devices that were running Ubuntu 20.04 with Gnome, where the app would not launch due to something about "pixbuf". Side note - I'd had that particular error so many times in Ubuntu with various apps that it's the sole reason I eventually learned Arch (and tiling window managers), and haven't looked back since.

I finally managed to get it to launch and work correctly on Xubuntu running on my girlfriend's very, very old laptop that takes about 8 minutes to boot to full speed. So save yourself the headache, and run the Samsung dev tools app on an unmolested Linux installation, with no special theming, that is not vanilla Ubuntu.

I would if I had one. I'm windows-only currently. I guess I could spin up a VM but then I have networking issues...

Thanks for the feedback.

Oh, in that case, I'm sure Samsung has it available for Windows, and it will probably work even better than the Linux version does (considering there aren't dozens of Windows distributions, and dozens of window managers, and a half-dozen popular GUI toolkits to account for).
I've been running it for the past year and besides the occasional odd bug with media discovery, it's run great for me and my family for all our movies and TV a shows.
Yes, it's shocking to me how many people are (apparently) willing to trust a closed source / SaaS product like Plex for this kind of thing.

Jellyfin may not be perfect but surely it's good enough for most use cases.

Plex doesn't require account linking IIRC, it's heavily suggested but you can just access Plex locally without an account.[1]

But otherwise I've switched to Infuse[2] since then, it indexes sources reliably on its own (no manual editing though) and saves the entire need for a server if you use it with some cloud storage. Basically replaced my Plex server, with the added bonus of out-of-home streaming without needing high upload. The major disadvantage is that it's Apple-only.

1: https://support.plex.tv/articles/207538527-do-i-need-a-plex-... 2: https://firecore.com/infuse

With infuse plus cloud storage any transcoding happens locally though which is a problem with weaker devices
That's true, but I hate transcoding anyway so I just get HEVC when possible and play natively on Apple TV and co. (not casting).
Since you have an AppleTV, what is the advantage to you of using Plex instead of just an iTunes instance with Home Sharing turned on? Do you have non-Apple devices you're trying to stream to, or something else?

I tried Plex years ago, and it wasn't to my liking because it was philosophically like Windows (Load the filename up with show information and constantly ping the internet for matches) instead of macOS (Metadata where it belongs — with the file).

I'm considering adding a Sony phone to my household, so now that Plex is in the news, this reminded me to check it out again.

Well are you pirating stuff? I've been using Plex for years now and so its mostly just what I know but when I first started using it the main things it did were a) handle codec issues (transcoding on the fly when needed) b) pulling metadata and images for movies and shows based on title and year in the file name. C) allow remote users (friends, family, etc) access to your library via the app, which works out to being very similar to a regular streaming service from their perspective. Basically nothing else did that and so it had a big leg up over XBMC and other apps folks used back then.

If you're purchasing everything through iTunes (do people still purchase stuff through whatever is "iTunes" now? I guess I don't know that either) I assume its handling transcoding/different device playback and delivering all the metadata for you.

Also once Plex pulls metadata down you're right that it doesn't store it with the file but AFAIK its not constantly hitting the net to pull that info down - it keeps a local cache.

I will say at this point - I wouldn't bother switching to Plex and look for an alternative like Infuse. The company is clearly under pressure to monetize beyond the Plexpass subscription you can buy. They've been steadily adding crap no one wants and automatically jamming it into the home screen of the app where you then have to go turn it off. Its just a matter of time before they cross a line somewhere and people jump ship. When that happens I imagine some of the open source alternatives (Jellyfin) will see a huge influx of development. I haven't switched just because I don't want to be hassled with figuring out a new system.

Not pirating or buying from iTunes. I rip my own media — CDs, DVDs, blu-rays, and records — which means I don't have to worry about a million distant codecs. From your description, it sounds like that's the only benefit of using something like Plex.
For me, the primary issue is that the Apple TV isn't good enough to be the most-commonly-used device driving the display. FireTV (4K version) wins the battle for the living room display (and it's not even close, with TiVo being 2nd and Apple TV a pretty distant 3rd).

To some extent, it's self-reinforcing. Once the FireTV gets a lead, all it has to do to maintain/extend that lead is reasonably support playback of whatever new format/source and Plex works great on it. If FireTV supported TV as well as TiVo does, it might end up with 100% of the living room display share.

(I also have Plex sharing to devices outside the house, but that's a <1% use case, mostly when it's us traveling somewhere and the kids wanting to watch something that's on Plex.)

Fair, I used Android TV (picked a TV with a decent chipset) before, and it played what I wanted well. The reason I got an Apple TV was because I loved Infuse on iOS, wanted some (easier) AirPods integration and found out all the apps I use are dramatically better on tvOS. Plus Android TV was starting to really annoy me with bugs and slowdowns.

I'm not in the US or mainland Europe so Fire and TiVo devices aren't really available or working well here, half their apps would just be blank.

The Apple TV was the last purchase a few months ago, and my main PC is Windows. I used iTunes as a media library years ago but Home Sharing never worked well for me, it regularly just didn't work (Bonjour for Windows' fault) or it lagged.

Ironically I like Plex & Infuse for the reason you hate them, I just give them files whose metadata is just their filename and they can match them to what they really are. No need to keep all the data in media container tags, and a thumbnail/poster that will be pixelated in a few years because something will scale it wrong.

Sony is a valid option given their love for DLNA but I just never really liked the tech. Hell, I have statically-reserved IPs & DNS-registered names for everything in my home.

EDIT: Oh, I forgot -- the main reason I moved off Plex (and would hate iTunes Home Sharing) is I don't leave my PC on. I switch it off daily and don't like to treat it like a server, and to keep using Plex would require setting up a NAS or something (I had my collection on a local SSD for a while).

This is not correct. I've tried the LAN no-login settings and it does not work for many devices (Roku/smart tv/phones). They also fail if you're not on the same subnet as Plex.

For this infuriating reason, moving off of Plex is on my to-do list.

Are there alternatives with smart tv apps?
Emby is close, it missed some video features last I checked but it may be good enough for you.
Jellyfin has an official app for Roku but I am not sure about other platforms like webOS.
But full functionality on Roku is really lacking. They really have not put too much into the Roku client and made the Amazon client way better.
yup--the weekend my internet went out was a real eye-opener and a number of things in my house got the axe including plex. i use kodi now and while its UX is nowhere near as good as plex, at least it works with a LAN-only connection
Oh definitely, once you connect it to an account it nearly refuses to work locally. I tried to set up a cloud-based Plex instance once and I connected it too early, breaking it because UPNP/port forwarding didn't work (yet) and local access was auto-disabled. Even enabled it only half-worked.
Interesting - I don’t have any issues accessing my server without internet, the default for me seems to be run local and then via internet.
I’m currently not logging in while using plex. Just providing that datapoint

edit:

You can also do this: https://support.plex.tv/articles/200890058-authentication-fo...

It is very client device dependent. And I found that when my internet went out, most devices would not work. But after several hours and some restarts it finally started working on some devices. I think this was because of some dns caching issues.
I recently tried this on my setup, two Roku clients and a plex server. Despite my best efforts I could not get subtitles to work unless I had an account signed in with the preferred subtitle options configured for the account.

Being hard of hearing, subtitles are a big deal. I wonder if this is an ADA violation?

It'll probably get answered with "Oops, this is an app bug and it's best if you log in anyway!"

What if you change the global accessibility settings to prefer subtitles? (Or just set SDH/CC somewhere in system settings) I know on Google/Android TV and Apple TV it default-enables subtitles in some apps.

Kodi's pretty good too, and doesn't insist on showing unrelated online content you don't care about like Plex seems to.
Kodis always been the better option if you're remotely technical.
Xbox Media Center for LIFE
I ran Kodi for years, but "always"?

* Kodi only works on my local network. It requires exposing my file shares on whatever VLAN my Kodi devices are on.

* Kodi is a pain to configure. To point it at the aforementioned file shares, I need to copy an XML configuration file, and getting this onto every device is a chicken and egg problem.

* Kodi requires each client to scan and sync the entire library at its CPU and bandwidth limits. My Plex server automatically scans and indexes my media.

* Plex allows me to access my content at the office, while travelling, and to share with friends

* Kodi doesn't transcode, requiring all of my client devices to have enough power and bandwidth to do so locally. Plex makes it much simpler to (for instance) stream a 4k video to a low power device

I know enough to have ran Kodi for years and intentionally switched to Plex full time

> Plex allows me to access my content at the office, while travelling, and to share with friends

Bold of you to trust an opaque corporation with access to your network and the data they can log through that. I wouldn't even trust Synology with their account quick access thing, as seamless as they claim it to be.

I don't really see remote access being secure without it being a self hosted VPN.

My employer can see the data patterns, and I'm struggling to understand why I should care. My media library is entirely legit (I have a crate of 100-disc spindles in the closet) and if they really want to know what movies and music I have, so what? They could see anything I do on Spotify or YouTube as easily, and seeing me stream a bunch of incoming data will throw off far fewer red flags than plugging in an external drive with media files.

If they asked, I'd show them exactly what's up. They haven't, so they don't seem to mind.

It's not full access to my network, it's access to a carefully curated set of media files transcoded through a service. There are no tax returns, no resumes, no porn. Just FLAC, MP3, and MKV.

I don't think you fall into the remotely technical category group.

Kodi can do all those things but you wouldn't as it has much better options to achieve the same result.

I just use Universal Media Server now and the built in media-browser on my Samsung TV. It's a bit janky but it works.

I've tried using Plex before and while the UI is nice, they don't seem to be able to write a video transcoder that doesn't have massive stuttering in it.

It's using ffmpeg. It's limited by the CPU/GPU on the server. You can adjust the options to have it encode faster or higher quality.
Yeah, I'm it's solvable if dug under the covers and spent hours tweaking and running between the PC in the study and the TV in the living room, but Universal Media Server just works.
People on HN always complain about this. But the reality is that the one time payment you (maybe) gave for Plex is not enough to make a viable company. So they have to offer complementary products and for that you need an online account.

Normal people also want to have features like remote streaming, subtitles fetching, familly sharing, etc which are hard to do without centralized accounts. Not even mentionning securing your paid features which you have to do to survive. And that customer doesn't care about the login as long as it is up.

I don't anything plex could do to please this particular demand would ever be enough so for me they do well to ignore it since removing that would effectively kill their business.

I run a lot of self-hosted software services, many of which have their own internal account system and auth. None of the features you mentioned require 3rd party cloud based auth.

I did pay for Plex prior to the cloud auth change, so for me it's a bait and switch, but my concerns are much more about privacy.

One day Plex will be bought by a large media company, and my (and my kids') viewing data and library catalogue data will be owned by MGM, Disney, Fox, etc...

> If anyone is curious, then alternatives like Jellyfin exist. It's a bit different and may not have all the features you need, but it works quite well in my experience.

Jellyfin's DVR service is horrible compared to Plex. Practically unusable. And DVR is the reason I pay for Plex.

Check out Channels DVR
I'm a long time Plex user, and I have not received this email. Not sure if I should be worried or if the breach has just affected a subset of users. I use random unique passwords for everything anyway, as long as no credit card details were taken it shouldn't be a big deal hopefully. I was able to log into the site now and no message was displayed at all.

Edit: Not sure why I would be getting down-voted for this. Security breaches are a big deal, but if the only result of this for the users is that we need to change our passwords that's a fairly good outcome, no? :-) The biggest hurdle ahead for Plex is to figure out exactly what these attackers did, if they were directly targeted and for how long they were in their network. A lot of the times a incident is discovered it's discovered a long time after the first breach (based on my own personal experience)

I received this email 1.5 hours ago.
Likewise, I haven't got anything.
I haven't received anything either, and was able to log in without having to set a new password.
I have received the email. They are not forcing you to reset password on login, you need to go into your account and reset it normally.
I got mine roughly 3.5 hours ago, so after this post was made. Looks like they're trickling out.
I got my notification roughly 3 hours after the Hacker News post.
I got the email about an hour ago.

Understand that sending emails that are not SPAM, to potentially millions of people is NOT a trivial exercise.

Got this about an hour ago as well.
Thanks for sharing this. I got the email, but found it here first. They let us know pretty fast, and gave clear instructions on how to secure our accounts moving forward. That can't be said for all companies that we trust with our info.

It sounds like payment data was stored in a separate database that had a different set of credentials (for this I am grateful).

Thanks to The Plex Security Team for providing details quickly.

No, not all.

> Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

I'm interested to know more around how a third-party was able to access the data with for others to learn and provide use-cases to increase security controls in areas where there may be deficiencies.
question: why use Plex over Kodi?
With Plex and Jellyfin, you set up a central server that will serve clients on all of your devices. So if you watch half of s2e3 on your tablet, then switch over to the living room TV, it will continue where you left off.

They also have clients for all major platforms and for web browsers, and can be accessed from outside of your home. I'm currently in Portugal, watching TV shows off my home machine in Germany via my phone or my Amazon Fire TV or my laptop.

It's much like having your own self-hosted Netflix.

Kodi is (can be) client for Plex, so those are orthogonal pieces of software.
Because preferences. I use Emby and Kodi and generally I prefer Emby's UI.
You can run the client on an existing Roku STB instead of building a separate box.
I'd say it comes down to how diverse your clients and your media library are. Plex can transcode your content on the server and then stream it to clients, which means the clients don't necessarily have to be powerful. Kodi is more of a file browser, it just opens the content from whatever storage and plays it directly.
Ugh, checking that box signed out my server and I've yet to figure out how to sign the thing back in.

EDIT: Figured it out. Need to access the server from the same network (or tunnel to it). You won't see server settings from external network.

Do corporate PR teams force security teams to say encrypted instead of hashed?
Just in the process of resetting my password and their website goes down with a nginx 500 error.
Is it safe to reset the password when there is so much instability with server errors and so on? Do we know that the door has been closed on the intrusion and the hack patched? Right now it feels like I'd be replacing a lost and known insecure password from ages ago for a service I no longer use with a secure one only to have it stolen again.

A delete account option would be nice in this case. I'd rather just have my data deleted even if it has already been compromised just to tie off this loose end.

And now the sender sending the "reset password" email is blacklisted by spamcop, I presume because they are sending so many emails from a server that normally doesn't much. They are not having a good day.

http://www.spamcop.net/w3m?action=checkblock&ip=192.254.122....

> Causes of listing

> System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Sounds like their spam trap is broken.

As someone who works in email delivery, spamcop is broken alot of the time...
Tried to reset my password, whole site is offline right now, probably too many people resetting their passwords.
…and now Plex.tv/link is down, so none of my media players can sign back in.

I hope that Plex learns from this and implements LAN-only logins (or LAN-only access) again.

Thank you for reminding me that I need to delete my account with you. Now if you could only keep your service up and running long enough for me to change my password so I can log in and remove my account.
Reminds me I need to delete my Plex account, moved to Emby years ago and it works perfectly.
OT but have others found the Plex Mobile UI completely baffling when it comes to understanding how to download, sync and then delete content that has been synced to that device? I get lost trying to do so every time.
Yes and I've used Plex mobile app for years. Completely frustrating experience every time I need to use the download functionality.
Funny. I got the e-mail about the data breach (which I was actually surprised to get, as I had a local-only version of Plex running on my Desktop computer a while ago), but I am not getting the "reset password" emails... not even in spam :).
Their password reset system is pretty bogged down right now, they DDOS'd themselves a bit sending the breach notice to their user base.
> we want to ensure you have the right information and tools to keep your account secure

Which is of course, a bold-faced lie, otherwise they would never have forced users to open Plex accounts, or removed the ability to conduct authentication locally.