- cross-posted to:
- selfhosted@lemmy.world
- cross-posted to:
- selfhosted@lemmy.world
We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
What happened
An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.
What we’re doing
We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.
What you must do
If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.
Additional Security Measures You Can Take
We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.
Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.
For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset



If I were you, I wouldn’t even let the others flabbergast you!
Thank you so much for providing so much detail in your comments. I have actually learned a thing or two about Jellyfin. I, like you, am wanting to get off Plex ASAP, but haven’t had the time to sit down and go through with it just yet. Thanks to you, I see those Shodan examples you provided, and the fact that their freaking LOGIN shows up is beyond scary to me.
I appreciate what you have shared. Thank you!
eh, I’m probably pretty grumpy about this discussion because I keep having the same exact 4-5 talking points “discussed” over and over just every few months. So I get that I’m probably not the most fun to interact. But this is the point. If nobody ever brings up these issues (including the JF devs themselves on their install documents) then we end up with more people like these shodan people.
The JF devs had a 5 year opportunity to close one massive big hole, that would have been simple and easy. The issues related to it are well known to the dev team and proof of concept was submitted over 5 years ago to them. They actively refuse to merge the code that would fix it because of “reasons” (most cited being “compatibility” with some players). And the most cited solution is “reverse proxy”, which is fine… but don’t resolve the problem on it’s own. Case and point with the second shodan link you can reach their instance and you can try the calls and it still “works” even though it’s behind NGINX.
This is a massive problem that isn’t being abused yet that we know of… but that problem is in EVERY JF instance… and has been the whole time JF has been a project since that problem was in the version of emby that JF is forked from. So to say that “Plex bad cause security!” when they specifically notify and do the “right” things in response to a problem is crazy when JF’s answer has been literal crickets for half a decade.
But yeah, Shodan in general is a really fun tool. It’s good habit to check your own stuff out and see what you’re exposing to the world that’s just findable.
Here’s another thing lots of people overlook. If you use let’s encrypt or some other service… look into pulling wildcard certs instead of your specific jellyfin subdomain. https://crt.sh/ and other sites will record every public cert that’s registered. Pop your own domain in… Can search for all sorts of stuff this way too.
I’ll be honest, even this is all new to me. I’ve had troubles wrapping my head around certs and ports, so I’ve always just never even tried anything that would make a port available (as far as I am aware…) so your points have at least reached an audience who appreciates the examples you’ve provided.
Feel free to ignore if you don’t have the mental energy or will to, but where could I find a good source for learning this type of stuff without finding out the hard way like some of those poor people on Shodan? You’ve awakened a fear I didn’t even know I had. lol
Well… I’ll be blunt here. I taught in an R1 institution for a bunch of years. Even people graduating with a Masters in the IT field can know very little about these subjects (which could be a statement of the program itself… but in my opinion mostly of the students lack to join concepts together as I literally had many of those students go through my security and operations classes). It’s possible for the best of us to be blind sided by random things that we didn’t recognize as a problem because we didn’t realize that concept x and y are related. I’m no exception to this and never claimed to be.
IT is a big field and security a hot-button, constantly growing, subfield of it’s own. Which doesn’t help… it’s breakneck to keep up with.
I don’t know of any single source of truths to give you here. Some basic tenants of security… Security through obscurity doesn’t work. Expose as little as you can. Keep everything you can behind some form of trusted/audited auth unless you really want it to be abused. Keep backups (3-2-1) of anything you care about. Encrypt wherever possible. MFA/2fa everything possible. Don’t reuse credentials. I’m sure there’s more that others could chime in with.
Ultimately all you can do is minimize your risk pool. It’s impossible to completely negate it. Keep an eye out on cyber news so you can learn the “new hotness” of the week as far as how things are getting attacked. It’s not necessarily something that needs to be feared, as long as you understand the risks.
You can probably start going through resources like https://www.w3schools.com/cybersecurity/ if you really want to pick up on the basics of stuff out there. And I don’t mind legitimate discussion most of the time if you want to talk about stuff, as grumpy as I might sound, I used to be an educator and have no problems with talking about the stuff I know. Though I am quite sardonic these days, it’s just my cope with the world as I see it fall apart.
The number one thing that helps learn all of it though… a homelab. Every. Single. Student I’ve ever talked to I told “get a homelab, try shit out”. In the context of my classes though, that also meant “try breaking it” too.
Thank you so much. Your knowledge is valuable to someone like me, at least!
I would assume the only thing I have exposed is Plex, since that’s the only thing I access outside of my home. I got the backups down pat now (through learning the hard way, unfortunately…). I use MFA for everything that offers it. I never use the same password for anything.
Seems like my trepidation for online stuff has helped me some in this case. I will definitely be checking out the w3schools, so thank you so much for providing that link!
All in all, your words have helped me today at the least, so I very much appreciate you taking your time to respond and help educate me. It means more than you will probably ever know. I don’t have tech people in my life, and have never had that. I’m the only one in any group I interact with that has any slight interest in technology. I learn best when it is under someone who knows what they are talking about or at the very least can provide ways to explain things.
Anyway, again, sincerely, thank you!
Yeah I feel this. These days it’s near impossible to just pick up on your own. When I was growing up and getting into it, you could still disassemble things and see how they were all connected (and poke at them to make it do weird stuff!). Now-a-days it’s all multilayer boards and impossible to piece together without an electrical engineering degree and an xray machine. It’s hard to ramp into the material when it’s such a vast topic that’s quite hostile to new blood.
The IT side has similar issues… Lots of stuff has been distilled to “this ansible script will handle ALL of it if you setup a 5 line config file” (Or a docker compose file that you just edit and run)… You miss all the backend stuff that’s happening and don’t get the understanding of how it all talks together and works.
Convenient… but not generally good for actual understanding.
Good luck on your IT adventures! Feel free to reach out again if there’s something you want to talk about.