Security breach occurred at streaming service Plex and e-mail address and password leaked

It turned out that the American streaming service Plex sent a notification to some users on August 24, 2022 that data may have been leaked. Plex is asking affected users to change their passwords.

Plex was compromised, exposing usernames, emails, and passwords - The Verge
https://www.theverge.com/2022/8/24/23319570/plex-security-breach-exposes-usernames-emails-passwords

Plex imposes password reset after hackers steal data for >15 million users | Ars Technica
https://arstechnica.com/information-technology/2022/08/plex-imposes-password-reset-after-hackers-steal-data-for-15-million-users/

In an email sent to users, Plex said, ``We have discovered suspicious activity in one of our databases. We have learned that we may have been able to access a limited subset of data, including passwords.' In addition, since credit cards and payment information are not stored on the server, there is no risk of leakage.

Just got a security notification from @plex , screenshot below (with alt text).

- Timely (discovered yesterday)
- Clearly describes scope (emails, usernames, encrypted passwords - NOT payment information)
- Path forward, explaining reasoning.

A great example of incident comms.pic.twitter.com/eWmMwOoQIU

— Murali Suriar (@msuriar) August 24, 2022

Plex said the leaked passwords were hashed and protected according to the company's best practices. According to a Plex spokesperson, the encryption used bcrypt , the strongest password protection method.

Your password was encrypted, but Plex is asking you to change it just in case. However, although the cause is unknown, it has also been reported that you cannot log in to change your password. This issue can be resolved by not signing out after changing the password.

As others have suggested, *not* trying to sign out existing devices seems to work. Go figure.pic.twitter.com/XRkZ58rWBA

— Troy Hunt (@troyhunt) August 24, 2022

Plex is a major media server app with approximately 30 million registered users at the time of writing. In addition to providing various content to paid members, there are also functions such as streaming playback of videos, audio, photos, etc. uploaded by themselves, but it is not mentioned whether private photos were leaked in this data breach. Not.

Plex says it has identified the cause of the unauthorized access and has already taken steps to prevent others from exploiting the same security flaw.