Plex, one of the most popular global streaming media services, on Wednesday announced a potential data breach involving one of its databases. The company claims that the “impact of the incident is limited” and has advised all its Plex users to change their passwords immediately “out of an abundance of caution”.
In a warning letter sent to its users via email, the company said that they detected a suspicious activity in one of the Plex databases on Tuesday and immediately started an investigation.
Based on the investigation, they found that a third-party entity was able to access a limited subset of data, which includes emails, usernames, and encrypted passwords. It also noted that no credit card numbers and payment data are stored on Plex servers and hence weren’t compromised as part of this breach.
“Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident,” the company wrote in the warning letter.
Plex said that it has already addressed the method that provided third-party access to its system. It is also doing additional reviews to ensure that the security of all of its systems is further toughened to prevent future infiltrations.
When resetting the password of the Plex account, the company urges its customers to tick the checkbox that reads “Sign out connected devices after password change”. This will additionally sign them out of all devices (including any Plex Media Server that they own) and require them to sign back in with their new password. While Plex acknowledged that they know “this is a headache”, it recommended its users to do so for increased security.
For further account protection and to avoid potential breaches, Plex also recommends its customers enable two-factor authentication (2FA) on their Plex account if they haven’t already done so.
“Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring,” the letter concluded.
“We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defences.”
Plex has created a support article with step-by-step instructions on how to reset your account password. The streaming service also said that it would never reach out to its customers to ask for a password or credit card number over email.