Plex confirms passwords, emails stolen in “limited” data breach

The Plex logo displayed on a black background
(Image credit: Plex)

Video on-demand service Plex has notified its customers of a data breach in which email addresses, encrypted passwords, and usernames were stolen by a third party.

Customers were told that the company spotted “suspicious activity" on one of its databases on Wednesday 23 August, but believes the actual impact of the incident to be “limited”.

The cyber criminals were able to access a “limited subset” of the data on the database, it said, including a list of hashed passwords. It added that, out of an abundance of caution, it is now asking Plex users to reset their passwords.

Payment details, such as credit card information, are not affected as part of the attack, the company said, adding this type of information is not stored on its servers.

Plex did not detail how the attackers gained access to its systems but said it knows how they were able to get in and has now worked to fix that issue. The company also assured customers that it was conducting additional reviews into the security of its systems to prevent further intrusions.

“We sincerely apologise to you for any inconvenience this situation may cause,” said Plex in the breach notification, seen by IT Pro. “We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring.

“We are all too aware that third parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defences.”

Users have also reported that Plex's website is unreachable and, at the time of writing, its website is returning a Cloudflare Error 522, which occurs when the connection between the website and the content delivery network itself times out. It's currently unclear whether this incident is related to the data breach.

The company has been praised by those in the cyber security community for the speed with which it disclosed the incident. US-based companies are not bound by legislation like the GDPR and rarely disclose data breaches as swiftly as EU-based companies.

IT Pro has contacted Plex for additional information on the breach.


Escape the ransomware maze

Conventional endpoint protection tools just aren’t the best defence anymore


Plex users have been advised to reset their passwords “immediately” to prevent any potential account compromise.

Users have also been encouraged to select the option to sign out of all devices connected to the account, a one-click option available during the password reset process.

The media company has recommended enabling two-factor authentication (2FA) as an additional precaution, if users do not have this enabled already.

“This is a headache, but we recommend doing so for increased security,” it said.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.