A Plex data breach has exposed usernames, email addresses, and encrypted passwords. As Troy Hunt, Microsoft Regional Director, said on Twitter “Aw crap, I’m pwned in a @plex data breach. Again. I can’t do anything to *not* be in a breach like this (short of not using the service)”
The scale of the security failure is not yet known, but the company is requiring all users to change their passwords and to turn on two factor authentication. Plex is one of the largest media server apps available, used by around 20 million people to stream video, audio and photos they upload themselves, in addition to an increasing variety of content the service provides to paid subscribers.
Plex this morning emailed all users to advise them that a third party was able to access “a limited subset of data,” but did not reveal how many accounts were affected.
Other users have been able to change their passwords, but are experiencing other difficulties when logging in again. A number of users report getting “Not authorized” or “You do not have access to this server” messages for their own servers. Some report success when logging in and claiming the server again, though others have had no luck with this.
It appears Plex has not arranged sufficient additional bandwidth to cope with the flurry of password change attempts. Additionally, the password reset page asks for the new password before the existing one, which is obviously unexpected and may account for some of the failures.
The streaming media platform Plex have suffered a data breach as they ask users to reset their passwords.