Media streaming company Plex has suffered a data breach and is urging users to reset their account password and enable two-factor authentication.
“An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data,” the company said in an announcement published on the company’s forums on Monday and sent out via email to users.
User ans server owner action is required
Plex Media Server is software that’s used to turn computers or network-attached storage devices into a personal media server. The server owner can then grant other users access to the server.
Though Plex did not specify which algorithm it uses for hashing user passwords or whether it adds unique salts to them before hashing them, it says that the passwords were hashed “in accordance with best practices.”
Users have been advised to reset their Plex account password immediately, sign out of all the devices (including any Plex Media Server they own), and sign back in with the new password. Users who use single sign-on (SSO) to sign into Plex should go through the signing out process and then sign in again.
Server owners will also have to claim their server again and possibly update it, as Plex has also announced that it had “made adjustments” that will temporarily prevent “regular” users from connecting to any Plex server they have been granted access to.
The reason given is that too many Plex Media Server instances have yet to be updated to version 1.42.1, which contains a fix for a vulnerability (CVE-2025-34158CVE-2025-34158) that could be exploited remotely by authenticated users to gain access to the server and tamper with it and the data on it.
Plex obviously believes a “personal touch” – i.e., disgruntled family and friends – is the right incentive to push server owners to upgrade, and they may be right.
“Once the server is updated to a fixed version, other users will be able to access again,” the company stated.
Beware of phishing attempts
We have reached out to Plex for clarification on their password hashing practices and the specific nature of the “authentication data” they reported as compromised, and will update this article if we receive a response.
One possibility is that session tokens were affected, which could potentially allow attackers to bypass authentication requirements – this would also explain Plex’s recommendation to log out and log back in with a new password.
The company has emphasized that user credit card data had not been accessed during the compromise, as they don’t store any. Still, the stolen data can be used to mount phishing campaigns and users should be on the lookout for those.
“We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments,” the company added.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
