Media streaming platform Plex has disclosed a new data breach, urging customers to reset their passwords after an attacker accessed authentication data from one of its databases. According to a breach notification obtained by BleepingComputer, the compromised information includes usernames, email addresses, securely hashed passwords, and related authentication details.
Plex emphasized that the affected passwords were encrypted using secure hashing practices, making them unreadable to outsiders. However, the company did not disclose which hashing algorithm was used, raising concerns that attackers could still attempt to crack some accounts. As a precaution, Plex strongly recommends that all users reset their passwords immediately.
Source plex.tv.
To safeguard accounts, Plex is advising customers to use the official reset page and select the option to “Sign out connected devices after password change.” This measure ensures that any sessions potentially hijacked by attackers are terminated, although users will need to log back in on all devices afterward. Those who log in via single sign-on (SSO) are advised to sign out of all devices manually through their security settings.
The company further recommends that users enable two-factor authentication (2FA) to bolster account protection. Plex stressed that it will never request passwords or payment information by email, seeking to prevent follow-on phishing attempts. Importantly, Plex confirmed that no financial data was exposed, as it does not store payment card details on its servers.
Although Plex says it has addressed the vulnerability that enabled the attack, it has not disclosed technical details about the breach or how long attackers had access. BleepingComputer reports it is awaiting additional clarification from the company.
This incident follows a strikingly similar breach in August 2022, where Plex was also forced to prompt a mass password reset after attackers stole authentication data and hashed passwords. The repeat event underscores ongoing risks facing streaming platforms as valuable targets for credential theft and account takeover.
For users, the most effective response is to reset passwords immediately, sign out of all active sessions, and enable two-factor authentication. Reusing passwords across multiple services can significantly raise risk in the wake of breaches like this, making unique, complex credentials critical to account safety.
