this post was submitted on 08 Sep 2025
770 points (99.5% liked)

Technology

74961 readers
3945 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
770
Plex got hacked. (forums.plex.tv)
submitted 1 day ago by als@lemmy.blahaj.zone to c/technology@lemmy.world
284 comments fedilink hide all child comments
 

We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.

What happened

An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.

Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.

What we’re doing

We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.

What you must do

If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.

If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

Additional Security Measures You Can Take

We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.

Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.

For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset

top 50 comments
sorted by: hot top controversial new old
[–] Zink@programming.dev 3 points 1 hour ago

I'm sure Plex has some great engineers, and Plex's infrastructure is far more hardened and secure and reliable than my Jellyfin server.

But they are a way way more likely target, and Jellyfin still performs far better and doesn't try to sell shit to my family members.

[–] ipkpjersi@lemmy.ml 19 points 16 hours ago

I think you mean Plex got hacked AGAIN

lol

[–] phoenixz@lemmy.ca 49 points 1 day ago (10 children)

I hate the tone companies always use with this

Some evil guys did something to us, it happened to us, and there was nothing we could have done to prevent it, but we were so quick to respond and stop it!

Aka, you fucked up with your security. Could you just once admit that?

[–] korazail@lemmy.myserv.one 28 points 22 hours ago (1 children)

I understand what you are saying, and what you want... but admitting fault publicly is a huge liability, as they have then stated it was their negligence that caused the issue. (bear with me and read this wall of text -- or skip to the last paragraph)

I've worked in the Sec Ops space, and it's an arms race all the time. There are tools to help identify issues and breaches quickly, but the attack surface is just not something that can be managed 100%. Even if you know there is a problem, you probably have to send an issue to a developer team to update their dependency and then they might need to change their code as well and get a code review approved and get a window to promote to production. A Zero-Day vulnerability is not something you can anticipate.

You've seen the XKCD of the software stack where a tiny peg is propping up the whole thing? The same idea applies to security, but the tiny peg is a supply chain attack where some dependency is either vulnerable, or attacked by malicious actors and through that gain access to your environment.

Maybe your developers leverage WidgetX1Z library for their app, and the WidgetX1Z library just updated with a change-log that looks reasonable, but the new code has a backdoor that allows an attacker to compromise your developers computer. They now have a foothold in your environment even with rigorous controls. I've yet to meet a developer who didn't need, or at least want, full admin rights on their box. You now have an attacker with local admin inside your network. They might trip alarms, but by then the damage might be done and they were able to harvest the dev database of user accounts and send it back home. That dev database was probably a time-delayed copy of prod, so that the developer could be entirely sure there were no negative impacts of their changes.

I'm not saying this is what happened to Plex, but the idea that modern companies even CAN fully control the data they have is crazy. Unless you are doing full code reviews of all third-party libraries and changes or writing everything in-house (which would be insane), with infallible review, you cannot fully protect against a breach. And even then I'm not sure.

The real threat here is what data do companies collect about us? If all they have is a username, password and company-specific data, then the impact of a breach is not that big -- you, as a consumer, should not re-use a password. When they collect tons of other information about us such as age, race, location, gender, sex, orientation, habits, preferences, contacts, partners, politics, etc, then those details become available for anyone willing to pay. We should use breach notifications like this to push for stronger data laws that prevent companies from collecting, storing, buying or selling personal data about their customers. It is literally impossible for a company to fully protect that information, so it should not be allowed.

[–] AA5B@lemmy.world 9 points 22 hours ago (1 children)

A great place to start is data privacy laws. If they don’t collect unnecessary PII, it can’t be exposed.

But yes, companies need to face more liability. While it’s true that no one is inhackable - you’d need to be perfect everywhere all the time and the bad guys only need one break to succeed - there are best practices that make it a lot more unlikely. If you as a company have been hacked and you’re not taking good care of your customers data, you should be liable for carelessness. Admittedly following good data security practices can be expensive but that’s why there should be consequences for those who cut corners

[–] korazail@lemmy.myserv.one 4 points 18 hours ago

I fully agree: Companies and their leadership should be held accountable when they cut corners and disregard customer data security. The ideal solution would be that a company is required to not store any information beyond what is required to provide the service, a la GDPR, but with a much stricter limit. I would put "marketing" outside that boundary. As a youtube user, you need literally nothing, maybe a username and password to retain history and inferred preferences, but trying to collect info about me should be punished. If your company can't survive without targeted content, your company should not survive.

In bygone days, your car's manufacturer didn't know anything about you and we still bought cars. Not to start a whole new thread, but this ties in to right-to-repair and subscriptions for features as well. I did not buy a license to the car, I bought the fucking car; a license to use the car is called a lease.

load more comments (9 replies)
[–] ngwoo@lemmy.world 16 points 20 hours ago (2 children)

Glad I never gave Plex any payment details, don't reuse passwords, and don't plan on using it any more so I can just ignore this

[–] Scrollone@feddit.it 4 points 8 hours ago

The best solution would be to migrate to Jellyfin altogether

[–] hackitfast@lemmy.world 7 points 20 hours ago (1 children)

I bought a lifetime subscription years ago, and even if the payment method got decrypted, it's well expired. Not to mention I haven't had a Plex server running for ages.

load more comments (1 replies)
[–] CriticalMiss@lemmy.world 82 points 1 day ago (5 children)

Jellyfin advertisement 🤷‍♂️

[–] BackgrndNoize@lemmy.world 12 points 23 hours ago* (last edited 23 hours ago) (1 children)

Stuff like this can happen to any app, developers are only human, shit happens. A bigger company is a bigger target for hackers, so there is some saftey in an open source app that's not as popular, but then again a bigger company also has more resources to monitor for security breaches and quickly address them and push out a hot fix, can't say I know how this works for free open source apps

[–] Sneptaur@pawb.social 15 points 22 hours ago (1 children)

I think the point here is that Jellyfin doesn't have a centralized login or website like Plex does. An attacker would have to know about your server and log into it directly to get access. If you run it in a container, there isn't a lot they can do other than trashing your media library, which you should have protected with filesystem snapshots anyway.

[–] purplemonkeymad@programming.dev 5 points 21 hours ago (1 children)

Jellyfin doesn't even have write access to my files. If they can get access into the container's process then I guess they could add stuff to the web interface which could contain bad stuff.

[–] Sneptaur@pawb.social 1 points 1 minute ago

That's also a viable solution, but for me I just use Btrfs snapshots on my NAS. My files are stored on a different device and the Jellyfin container only sees them as a mounted dir, not even aware that it's an SMB mount.

[–] TheGrandNagus@lemmy.world 13 points 1 day ago (10 children)

I enjoy using Jellyfin and hope it continues to improve, but it has some problematic security of its own.

load more comments (10 replies)
load more comments (3 replies)
[–] ramjambamalam@lemmy.ca 14 points 21 hours ago (2 children)

They say that passwords are hashed but we're they salted?

[–] inclementimmigrant@lemmy.world 11 points 21 hours ago (1 children)

End of the day does it even matter? They've gotten a ton of other information including authentication data which is probably just as, if not more, useful/lucrative to them.

From another source:

Server owners will also have to claim their server again and possibly update it, as Plex has also announced that it had “made adjustments” that will temporarily prevent “regular” users from connecting to any Plex server they have been granted access to.

The reason given is that too many Plex Media Server instances have yet to be updated to version 1.42.1, which contains a fix for a vulnerability (CVE-2025-34158CVE-2025-34158) that could be exploited remotely by authenticated users to gain access to the server and tamper with it and the data on it.

load more comments (1 replies)
[–] Eh_I@lemmy.world 3 points 16 hours ago

Nevermind the credit cards, it's the viewing habits they can sell that really make money.

[–] JasonDJ@lemmy.zip 451 points 1 day ago* (last edited 1 day ago) (11 children)

  • admitted the issue immediately

  • reassured users as to actual scope of breach, probable risk

  • provided recommended actions for users who think they may be impacted.

  • explained best-practices (enough for a laymen's audience) and how they limited scope and impact.

  • did not deflect blame

My god....I've got to hand it to plex. This is the perfect incident response letter. Love 'em or hate 'em, this is a good example for other CISOs.

[–] Scrollone@feddit.it 0 points 8 hours ago (1 children)

They admitted the issue because they're a German company and they would get fined 20 million euros if they didn't.

[–] remon@ani.social 1 points 3 hours ago

they’re a German company

Unless there is a town called "German" in California, they are not.

load more comments (10 replies)
[–] ayyy@sh.itjust.works 145 points 1 day ago (13 children)

I harbor a strong dislike for the profiteers at Plex but their security incident response is textbook correct. Good job security dudes! The rest of your stupid company should listen to you more often.

load more comments (13 replies)
[–] ArmchairAce1944@discuss.online 9 points 22 hours ago

This is why I barely trust any streaming platform... I mean I try to not use my 'real' email for anything (and I stupidly linked my other emails to it on my phone, so Google basically knows it even if they dont have direct access to the inboxes).

There is so much shit being hacked that the idea that rhat any information we put out there isn't already available on the darkweb is stupid. Even some AI camera surveillance company has said that they built their database in part based on information they bought from the darkweb (I need to get the source again).

And I rarely hear about those same hackers getting caught. Its almost like they have it down to a T and it is simply too profitable and the chances of getting caught are too minimal to care. And this shit is continuing despite all the legislation being passed to monitor more and more internet activity, which makes me think if any of it will even work?

It is still rare that someone truly criminal is caught because of some internet searches. Most data is collected from confiscated computers and if they simply deleted their browsing history and used a basic file shredder to wipe their free space they would not be able to recover anything.

[–] moseschrute@lemmy.world 23 points 1 day ago* (last edited 1 day ago) (3 children)

I’m not a security expert, but password hashing is mostly to slow down someone from getting all the passwords. You can’t reverse the hash, but you can generate hashes until you find a match. When hashing, you can dial in how much compute it would take someone to try and solve all the hashes in your database. If you used a good password, it will be more difficult to solve your hashed password. But it’s best to change your password as Plex suggests.

So it depends on how secure a password is and how strong of hashing Plex used when storing the hashed passwords. I have no idea if this is like a “this will take a year” or “this will take a billion years” to solve all the hashes. More compute also means you can solve the hashes faster. Maybe someone with a security background could chime in.

[–] mic_check_one_two@lemmy.dbzer0.com 22 points 1 day ago (6 children)

You can’t reverse the hash, but you can generate hashes until you find a match.

That’s called a rainbow table attack, and that’s why you should salt your hash. This salt basically appends a unique string of characters to every password before it goes into the hash. Let’s say your users are dumb and use “password” for their password. If a hacker has pre-generated a rainbow table, (which is extremely time and resource intensive), then they’ll instantly crack that as soon as they get a match on those common passwords. Even if they haven’t generated a rainbow table, they can just look for identical hashes and guess that those users are using common passwords.

But if you salt it, it’ll slow the hackers down drastically by invalidating their pre-generated table. Each user has their own salt stored alongside the username and hash, so User 1’s hash actually saw “password19,jJ03pa5/-@“ while user 2’s hash saw “passwords)205JrGp02?@-“. Because each of their salts are unique, their resulting hashes are unique too. Even though they used the same password. Now the hackers need to crack the hash for each user, by incorporating the existing salts for each user. They’ll start with the weak and common passwords first, which is why it’s still best practice to use strong passwords. But they can’t actually start the rainbow table process until after they have hacked the info, and they’ll need to create fresh tables for every single user.

load more comments (6 replies)
[–] phoenixz@lemmy.ca 11 points 1 day ago (3 children)

Not entirely

Firstly you don't "generate hashes until there is a match". You can generate hashes until the end of the universe and you'll still have only a fraction of all possible hashes.

What typically is used are large lookup tables with hashes from known passwords. You can then take that table, take a hash you got, and look it up.

So firstly, hashes should be salted, and if salted correctly, it's already extremely much harder to use because these tables no longer work. There are few more things you can do but that pretty much is a hard wall already.

The problem is that many corporate systems out there have horrible security. They either use a hash that has been known to be broken since a long time ago (hello LinkedIn), don't use salting (hello linkediiiiiinn), or don't use hashing at all.

It's because of idiots like these that there are so many accounts with password tables out there

What to do?

Use password managers. Now all your site's have different, safe passwords and you only need to know one. Use 2FA where possible and supported

load more comments (3 replies)
[–] Waraugh@lemmy.dbzer0.com 16 points 1 day ago* (last edited 1 day ago) (7 children)

If they are following best practices then individual hashes should be salted and the database of hashes should be peppered so even if someone brute forces an offline copy of the hashes they wouldn’t result in actual useable passwords.

load more comments (7 replies)
[–] Patches@ttrpg.network 10 points 1 day ago* (last edited 16 hours ago)

If you have Synology using DSM style install

Here is how to "claim" or login to your server that it logs you out of.

https://forums.plex.tv/t/synology-faq-questions-answers-and-how-tos/490215/39

Tldr; Uninstall but keep files. Reinstall using the existing files and a newly token.

Sure would've been nice to know this 2 hours ago.

[–] bitchkat@lemmy.world 8 points 23 hours ago (3 children)

Word of warning. Resetting your password is causing lots of people to lose access to their server. I'll be deleting config and reclaiming the server after work.

[–] Patches@ttrpg.network 2 points 16 hours ago (1 children)

If you have Synology.

Uninstall(without delete) and reinstall Synology.

It will allow you to log back in.

[–] bitchkat@lemmy.world 3 points 15 hours ago

I'm on Linux and the simplest solution I found was to use the browser to generate a claim code on plex.tv and then install that code in the server via curl.

load more comments (2 replies)
load more comments
view more: next ›