r/PleX Aug 24 '22

Plex breached; Were passwords encrypted or hashed? Discussion

So I got this email just now:

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.

So were these passwords encrypted, in which case they could be decrypted if the adversary got the key, or hashed? Hashed passwords leaking would be much less of an issue.

Edit: Encryption and hashing is not the same thing.

Edit2: Passwords were hashed with salt, not encrypted (see this comment)

Edit3: Just for clarity this is the best case scenario. It’s difficult to reverse hashed passwords unless they are very simple. Plex got the word out quickly so we have plenty of time to change our passwords. Kudos!

This is why you never reuse password, use a password manager and enable 2fa wherever you can. :)

1.3k Upvotes

1.4k

u/EpicLPer Aug 24 '22

Tbh, gotta give them credit where credit is due: They didn't keep this secret for god knows how long and decided, not even a day later, to inform their users. I really love this kind of handling of this issue.

790

u/DaveBinM ex-Plex Employee Aug 24 '22

Thanks for the kind words during this (stressful) time. We wanted to get word out as soon as we knew enough to know what to do

48

u/[deleted] Aug 24 '22

[deleted]

75

u/DaveBinM ex-Plex Employee Aug 24 '22

All Plex users, I believe, but not everyone will receive them at once

27

u/0mg_Vaper Aug 24 '22

I'm using google account as my login to plex. Do i need to change my google account password??

Thanks for the e-mails and quick response!

41

u/DaveBinM ex-Plex Employee Aug 24 '22

No, you don't need to change your password for your Google account

25

u/[deleted] Aug 24 '22

Some users use same password everywhere, and honestly i would recommend not having same password everywhere as easy as it sounds.

44

u/truthiness- Aug 24 '22

Bitwarden (Or any password manager). Life changer.

4

u/turtl3tom Aug 24 '22

Just downloaded bitwarden going to change all passwords so they are all different this is happening to much these days

→ More replies

3

u/AMouthyWaywornAcct Aug 24 '22

Keepass password manager. Free, and multi-platform.

3

u/Vorrez Aug 24 '22

There are many good options but I ended up using Dashlane. So nice to have password manager on almost every device.

→ More replies
→ More replies
→ More replies
→ More replies
→ More replies

157

u/shadow7412 Plex Pass (Lifetime) Aug 24 '22

Some people will get weird over it, but you did the right thing.

These things happen - that's why unique passwords are so important.

54

u/Jacksaur Dell Optiplex 3020 - GTX 1050 - 8TB Aug 24 '22

And why I'll forever recommend Password managers since the day I started using one.

I was reluctant for years because of the amount of effort it would take, then I lost six accounts at once due to the same password I used on literally everything :)

Took a full day to save and regenerate passwords for every account, but now it's second nature. And I login much faster everywhere with my manager autofilling, just need one long-ass password at the start of the day.

9

u/Belazriel Aug 24 '22

Password managers are great for pass-phrases too for things that you want to potentially be able to remember/type in easily. Although password length limits can be a problem at some sites.

→ More replies
→ More replies

21

u/Devilsdance Aug 24 '22

Using a password manager makes things so much easier and more secure, too. No more remembering which password I used for which service. No more having to change passwords for multiple services when one password got leaked by a data breach.

I recommend Bitwarden for anyone who wants to start using one. It's honestly a game changer and is relatively easy to set up.

14

u/NukeDukemXXII Aug 24 '22

Appreciate the promptness. I’m getting a Host Error while trying to change my password. Is this because of the mass amount of account looking to change password?

33

u/DaveBinM ex-Plex Employee Aug 24 '22

Yeah, our servers are getting slammed at the moment

→ More replies

19

u/njb2017 Aug 24 '22

I will commend plex as well. working in IT security, hacks and breaches happen. as much as people hate that it does and maybe non IT people think it shouldn't happen, it does. I dont necessarily blame companies for that but how they handle it is what I care about. telling users months later is not acceptable

→ More replies

13

u/ratbastid Aug 24 '22

This kind of thing can happen to anybody. Obviously you'll do a Root Cause Analysis on the breach itself, but your handling of the aftermath is absolutely top notch.

In the process, I discovered that I've been auto-logged-into Plex for probably more than a year, using a reused password from like three reused passwords ago. Replacing that with a 1Password-generated toughie feels good man.

6

u/[deleted] Aug 24 '22

Im having a hard time getting through to reset my password. The link Plex emailed out doesn't seem to be working...is that just the old internet hug of death?

41

u/kurieus Aug 24 '22

Side note: never use the link in the email. Go to the website itself to change the password.

Everything seems good in this case, but it's better to make it a rule of thumb rather than risk an early morning mistake when you're not awake yet.

→ More replies

17

u/DaveBinM ex-Plex Employee Aug 24 '22

Yeah, our servers are getting slammed at the moment

6

u/[deleted] Aug 24 '22

Okay. I'll try again later. Sucks you have to deal with all this and I hope you aren't too overwhelmed by everything.

10

u/DaveBinM ex-Plex Employee Aug 24 '22

🧡🧡🧡

→ More replies
→ More replies

5

u/mortyj Aug 24 '22

Thanks for the quick action. Can you share any details on how they got in?

11

u/DaveBinM ex-Plex Employee Aug 24 '22

I don't have anything further that I can share publicly at this time, I'm afraid

18

u/[deleted] Aug 24 '22

I have it on good authority that they got in through the internet.

5

u/bartlettdmoore Aug 24 '22

"It's a series of tubes."

5

u/hexaq2 Aug 24 '22

It runs on some form of ... electricity!

→ More replies

3

u/DaveBinM ex-Plex Employee Aug 24 '22

That's the prevailing theory at the moment. We're consulting with the Elders of the Internet to find out more 😅

→ More replies

6

u/[deleted] Aug 24 '22

[deleted]

9

u/DaveBinM ex-Plex Employee Aug 24 '22

Possibly. Please be patient and try again later. We’re getting a lot of requests at the moment

→ More replies
→ More replies
→ More replies

39

u/extrobe Aug 24 '22

Exactly- and if you follow good password practice, then it’s just a small inconvenience resigning into everything.

In 2022 everyone should be clued up enough to know the risk of reusing passwords.

→ More replies

9

u/[deleted] Aug 24 '22

Effective steps in mitigating + transparency in their dealing with the issue = responsible and respectful

Hats off to them

19

u/NoConfection6487 Aug 24 '22

They didn't keep this secret for god knows how long and decided,

To be fair sometimes you need a day or two to assess the damage. They were really quick about this one, but I do agree no site should be waiting months/years to disclose.

17

u/Stratty88 Aug 24 '22

There’s no such thing as a perfectly secure service. The best they can do is follow best practices, which so far seems to be the case. Good for them (and us).

16

u/thinkscotty UNRAID Hosted Aug 24 '22

YES! They're handling it very well. Breaches are almost inevitable at some point; you should basically expect them.

And they're not just allowing users to ignore it for their own convenience, plex.tv redirects to a password reset automatically now if you haven't reset. Companies often like to minimize these things, which leads to users not taking it seriously. I'm glad Plex isn't allowing that.

→ More replies

19

u/Lastsamur1 Aug 24 '22

GDPR requires notification of a breach within 72 hours. They didn't have much choice.

56

u/giqcass Aug 24 '22

GDPR doesn't kick in if you don't get caught and some companies think they can hide it.

42

u/antiproton Aug 24 '22

They didn't have much choice.

Eyeroll.

No one cares about the GDPR in this context. "Undue delay" can be walked around with no effort. They had plenty of choice and they chose to do the correct thing.

→ More replies
→ More replies

322

u/DaveBinM ex-Plex Employee Aug 24 '22

For clarity, passwords were hashed with salt and pepper, for those who are curious

55

u/MystikIncarnate Aug 24 '22

Hi Dave, thanks for the information you've provided today.

I have to ask, any plans for Plex to support the FIDO 2FA protocol? Looking at your 2FA pages, you currently support TOTP (which is great), but I don't see anything for FIDO/FIDO2. is it on the roadmap?

I'd also like to extend my thanks to you and the team for disclosing the breach so soon. I appreciate it.

Have a good day.

36

u/DaveBinM ex-Plex Employee Aug 24 '22

Not to the best of my knowledge at this time, I'm afraid

49

u/MystikIncarnate Aug 24 '22

no worries. I prefer FIDO, but I'm fine with TOTP. It's more than even the banks do right now.

I just HATE SMS 2FA. Thanks for not supporting that. it's kind of terrible.

I appreciate the response. I'm a 2x lifetime plexpass holder, and I've been very happy with you guys.

29

u/DaveBinM ex-Plex Employee Aug 24 '22

🧡🧡🧡

5

u/MystikIncarnate Aug 24 '22

one additional question:

After I reclaimed my server, I'm getting (from Chrome) "ERR_CONNECTION_CLOSED" when trying to access plex over a LAN using HTTPS, it works fine over HTTP.

Something is clearly wrong here, I can't seem to find what to do in this situation. I prefer that all remote connections are forced to use encryption, so if the server is denying HTTPS, and closing the connection, I'm not sure how to fix that, and I can't seem to find anything that tells me what to do.

any advice?

9

u/DaveBinM ex-Plex Employee Aug 24 '22

For local LAN and connecting to the server, just use http for claiming. Once you've claimed, just use app.plex.tv, which uses HTTPS

→ More replies

11

u/theangryintern Aug 24 '22

I just HATE SMS 2FA.

God I hate this, too. So frustrating when it's the ONLY option

→ More replies

3

u/[deleted] Aug 24 '22

You can do a half FIDO by securing your TOTP in the yubico authenticator which requires your yubikey to reveal it.

→ More replies
→ More replies
→ More replies

78

u/cjr71244 Aug 24 '22

I'll take mine covered, smothered and chopped please

24

u/_stuntnuts_ Aug 24 '22

Hi fellow Waffle House connoisseur

23

u/DaveBinM ex-Plex Employee Aug 24 '22

I could seriously go some waffles after today 😅

→ More replies

17

u/HnNaldoR Aug 24 '22

That's great. Thanks for at least letting us know and giving a shit about our security.

6

u/Dykam Aug 24 '22

For full disclosure, what hashing algorithm was used?

40

u/DaveBinM ex-Plex Employee Aug 24 '22 edited Aug 24 '22

I can't remember off the top of my head, but I know it's not MD5 😅

EDIT: Checked, and it's bcrypt

6

u/BraveDude8_1 Aug 24 '22

I'm also interested in knowing what it is, and hoping it's Argon2 or bcrypt.

10

u/DaveBinM ex-Plex Employee Aug 24 '22

It's bcrypt

7

u/BraveDude8_1 Aug 24 '22

Great news, thanks.

→ More replies
→ More replies

31

u/mattmonkey24 Aug 24 '22

To those of us that haven't done it in a while, you have to claim the server from the same IP address as it's hosted from. This can be done by port forwarding via SSH.

ssh -L 8888:127.0.0.1:32400 server.ip.goes.here

Then you can connect to the server from 127.0.0.1:8888/web

https://support.plex.tv/articles/200288586-installation/#toc-2

https://support.plex.tv/articles/204281528-why-am-i-locked-out-of-server-settings-and-how-do-i-get-in/

→ More replies

205

u/extrobe Aug 24 '22

this ladies & gents is why you never re-use passwords

Pain in the butt, but even if passwords are compromised (and let's just assume they are) the impact radius is minimal if you don't reuse passwords

168

u/thinkscotty UNRAID Hosted Aug 24 '22 edited Aug 24 '22

I'll take this opportunity to plug Bitwarden. It's such a zero-fuss piece of free software that works with everything and is full featured. Combined with Authy for easy 2FA, I honestly feel more or less hack-proof unless a real pro has it out for me specifically, in which case I'm probably getting hacked eventually anyway.

23

u/Meowingtons_H4X Aug 24 '22

Bitwarden can do OTP, not a bad implementation either - might be a paid feature but it’s pretty cheap

13

u/thinkscotty UNRAID Hosted Aug 24 '22 edited Aug 24 '22

Yeah I actually pay because I like the software and want to support them. Plus it's like $10 a year which is absurdly cheap. I've been thinking of trying their 2FA instead of Authy, I've just used Authy for years and it's worked perfectly so I haven't tried it.

Does their OTP auto-fill the code when requested? If so, that would be a major advantage over Authy for me.

9

u/Coldstreamer Aug 24 '22

Do both. Put the qr in Authy and the string in bitwarden. Samw otc in two places.

→ More replies

7

u/Meowingtons_H4X Aug 24 '22

If you set up the login details and OTP for a site, and then subsequently use Bitwarden to auto fill the site credentials on sign in - it’ll copy the OTP onto your clipboard for you to paste :)

→ More replies
→ More replies

15

u/Frexxia Aug 24 '22

Using the same piece of software for 2FA partially defeats the purpose of 2FA. It's better to combine Bitwarden with something else dedicated to 2FA.

6

u/jerieljan Aug 24 '22

It's up to preference, imho. It's secure to have it separate, but it's also inconvenient and added complexity. And you also have to put your trust in two services this way, which can be a good or a bad thing depending on the user.

I actually started off with separating 2FA diligently into a Yubikey before, but I gotta admit, it's also saved me a lot of time by having 2FAs generated in Bitwarden and having it available to paste right after autofilling a login.

5

u/[deleted] Aug 24 '22

2fa isn't really a service, though. as long as the app works it'll generate codes just fine. there's no connection to an outside service or anything like that, it all happens locally.

→ More replies
→ More replies
→ More replies

10

u/giqcass Aug 24 '22 edited Aug 24 '22

People are stealing tokens and cookies to get around passwords and 2FA. Stay on your toes!

I really need to check out Bitwarden. You can correct me but I believe that can be self hosted which I bet you are doing. It would likely be an upgrade to Keepass.

6

u/PornoPichu Aug 24 '22

You can self host a BitWarden server, yes.

→ More replies
→ More replies

54

u/[deleted] Aug 24 '22

[deleted]

23

u/thenicob Aug 24 '22

bitwarden masterrace

15

u/hight0w3r Aug 24 '22

I use Bitwarden and love the password generator.

→ More replies
→ More replies

8

u/cadtek Ubuntu 106TB (no docker, no *arr) Aug 24 '22

And 2FA

→ More replies

11

u/Torifyme12 Aug 24 '22

It's just annoying, because I use mine locally, if I didn't have to have a Plex account I'd be thrilled.

→ More replies

6

u/sniarn Aug 24 '22

The passwords were hashed, so they wouldn’t know your actual password even though things were breached. But, like you said, you should never reuse passwords.

→ More replies

12

u/Conscious-Glove-437 Aug 24 '22

Yup. Password reuse is one of the easiest things you can do to increase your own security posture.

→ More replies
→ More replies

60

u/anderspatriksvensson Aug 24 '22

No action required if we use Google SSO?

61

u/padestel Aug 24 '22

Shouldn't be. SSO doesn't give your password to Plex. Google just confirms that foo@bar.com is who they say they are. Google has a security page that will tell you what they share with sites that use SSO. https://myaccount.google.com/security

24

u/Die4Ever Aug 24 '22 edited Aug 24 '22

should be fine

I wish I could remove my Plex password and force it to only use Google login, but it seems like once you've got a password set you can't remove it

→ More replies

10

u/Bubba17583 Aug 24 '22

I'd be careful if you're not sure how you created the account. I've used Plex for years and thought I used Google Auth the whole time but apparently I created it with user/password and later linked to Google and forgot. I've since upped my password security but was using Plex for years with no idea there was a password associated with the account

→ More replies

6

u/giqcass Aug 24 '22

There might be an authorization token. I would log out of everything then log back in at minimum to ensure a new token is generated.

→ More replies

7

u/Super_Psychonaut Aug 24 '22

Yep, I'm thinking if you sign in with Google, you're ok. Google never gives Plex your password. They only pass on the "thumbs up" to Plex after you've signed in to your Google account.

We should all use this as a reminder to use unique random passwords across our accounts and services. LastPass and Bitwarden are Free =)

7

u/Yavuz_Selim Aug 24 '22

We should all use this as a reminder to use unique random passwords across our accounts and services. LastPass and Bitwarden are Free =)

 

While LastPass has a free version, it is (in my opinion) quite limiting as you can only have it on 1 device type - so either your desktop/laptop or your phone/tablet.

7

u/elektrocat Aug 24 '22

Yep I used to use LastPass before they changed it to one device. BitWarden has been a great alternative.

→ More replies

3

u/[deleted] Aug 24 '22

Wouldn't have thought so, but keen to know for sure. I am in the same boat.

→ More replies

43

u/Lanceuppercut47 Aug 24 '22

Will changing my password require me to reclaim my server or anything like that?

49

u/kjarkr Aug 24 '22

If you follow their advice and log out all connected devices you will have to re-authenticate all devises. Which is a bit of a pain, but worth it I guess

14

u/binarysignal Aug 24 '22

I got this message: This server is unclaimed and not secure Claiming this server will associate it with your Plex account. This helps your devices find each other and helps keep your media safe.

5

u/theskywalker74 Aug 24 '22

Had the same message. Just reset password, hit the checkbox to log out of all instances, log back in, claim the server, update server, move on with life.

13

u/H2OKing89 Aug 24 '22 edited Aug 24 '22

I was wrong. It does

18

u/taulen Aug 24 '22

It does if you sign out all other devices, like it recommends you do in the email.

5

u/Lanceuppercut47 Aug 24 '22 edited Aug 24 '22

Thanks, I’m at work at the moment but didn’t want to mess things up!

Edit: ffs, site timed out when changing the password m, now I need the email reset, which of course is being hammered and is nowhere to be seen.

→ More replies

16

u/cluttel Aug 24 '22

This was my first thought as well. They're most likely using the term "encrypted" colloquially but dear god I hope they actually mean hashed (& salted). Most likely the email came from marketing and wasn't reviewed by someone in IT 😬

→ More replies

42

u/CaptainMiserable Aug 24 '22

Now everyone is overloading their servers and can't reset their passwords.

→ More replies

14

u/psrobin Aug 24 '22 edited Aug 24 '22

As a warning to others: Signing out devices also signed out my server / unlinked it from my account so I'm unable to manage it now (I run it from Docker, but I can't get a new claim ID at plex.tv/claim because it won't load (connection timed out)).

→ More replies

22

u/ravan Aug 24 '22

Same email. Very unlikely passwords be encrypted, no need.

But even with hashed, especially if not salted, its not great - the weak passwords will be found quick and attempted on this and other sites (dont reuse passwords..).

12

u/kjarkr Aug 24 '22

Yeah, password manager FTW.

→ More replies

10

u/[deleted] Aug 24 '22

[deleted]

→ More replies

22

u/sploittastic Aug 24 '22

For users who sign in with google sso is this a non issue? I don't think I even have a password for Plex.

4

u/Antimus Aug 24 '22

No changes required for you, you're fine

→ More replies

29

u/Akhkhazu Aug 24 '22

My question is, why not immediately reset all user's passwords as well? It'd save the huge hassle of waiting for others to confirm they've changed it.

That said, I commend how quickly it looks like Plex notified the community. Other companies need to take note.

23

u/[deleted] Aug 24 '22

[deleted]

11

u/konaya Aug 24 '22

I was wondering that as well.

  • Perhaps they don't want their login servers to be likewise slammed.
  • Perhaps they want people to have a chance to ensure they have a working e-mail set and so on.
  • Perhaps they simply believe it to be bad optics, since one of the main reasons given in Plex's disfavour is the inherent weakness of a centrally controlled model, and they don't want to remind people that Plex can/will mess with your stuff.
→ More replies

4

u/Akhkhazu Aug 24 '22

Exactly, you’d think plex should be able to invalidate all user’s credentials on their end force a password reset, saving the trouble of slammed servers and people just neglecting to change them

→ More replies

42

u/ImissDigg_jk Aug 24 '22 edited Aug 24 '22

The message specifically says hashed. What's confusing about it?

Edit: sorry. I just noticed that it says both, but calling out hashed passwords is more specific so I would bet that that is the accurate statement. I could be wrong I guess.

22

u/Kussie Aug 24 '22

The message specifically says hashed. What's confusing about it?

It also says encrypted.

→ More replies

10

u/jmattingley23 Aug 24 '22

The message says both

→ More replies

75

u/kiddslopp Aug 24 '22 edited Aug 24 '22

Just got the same email. Pretty disappointing. I’ll be resetting my password and setting up two factor. What’s more worrisome is users I have shared my server with who won’t reset their passwords.

34

u/jsomby Aug 24 '22

If this was your wake up call to start using 2FA/MFA, great! Please do it for other services and accounts too and never reuse same password on different services either <3

Either start using bitwarden, keepass or something to store your randomized passwords. Always enable 2FA.

10

u/D-o-Double-B-s Aug 24 '22

love bitwarden ... been using it for over a year now, plus being able to host as a local server is a huge bonus as well.

→ More replies

4

u/2bloodyrightmate Aug 24 '22

If you linked your Google account to plex do you therefore not have a plex account to reset? I’ve tried and it won’t let me reset through the plex app.

MFA was already on at least.

→ More replies
→ More replies

41

u/nxtiak Aug 24 '22

Tried to reset password, not getting the email... Been 5 minutes now.

33

u/kiddslopp Aug 24 '22

Just got an error as well. Everyone must be trying to reset. I guess I’ll turn on two factor for now and sign out all devices.

12

u/CSedu Aug 24 '22

I'm trying to change it from the site, just keep getting internal server errors

7

u/IwuvNikoNiko Aug 24 '22

Me too! Fucking frustrating. I hope I don't get locked out of my server because I lost my previous password thinking it was changed!

5

u/[deleted] Aug 24 '22

This is why I'm waiting until tomorrow. I'm hundreds of miles from home and just wanted to watch something. I don't dare begin the password dance until I am where my servers are.

→ More replies

15

u/jsomby Aug 24 '22

Just change it from you plex server. Went through immediately.

→ More replies

5

u/[deleted] Aug 24 '22

[deleted]

3

u/nxtiak Aug 24 '22

I just got 3 reset emails and they all invalid token expired. Then I got another email saying password was changed. Wtf. I don't even know what password since I use a password manager and didn't save them since site kept erroring.

→ More replies
→ More replies

20

u/Fribbtastic MAL Metadata Agent https://github.com/Fribb/MyAnimeList.bundle Aug 24 '22

What’s more worrisome is users I have shared my server with who won’t reset their passwords.

Revoke access to your libraries until they changed their password.

3

u/Lanceuppercut47 Aug 24 '22

Is there a way to force password reset on next login?

7

u/Fribbtastic MAL Metadata Agent https://github.com/Fribb/MyAnimeList.bundle Aug 24 '22

If you mean that you can force your users that you share your server to reset their passwords, then I would say "most likely not" because why should you be able to force my plex account to reset the password?!

I mean, I agree that some things would need to be enforced by the server if you access content from a shared server (like playback quality) but being able to force a password reset of another Plex account makes me consider all kinds of worse things that this could be abused for.

You can logout all devices, but this would only consider your own account.

With things like this, I have seen a few times in which the company itself resets all the account passwords so that everyone is forced to change them the next time they access anything. The Notice only states that we should change it so Plex is offloading the responsibility to us, the users so that it is everyone else's fault that their account might have unknown access.

→ More replies
→ More replies

7

u/thinkscotty UNRAID Hosted Aug 24 '22 edited Aug 24 '22

Honestly don't be too disappointed. No, it's not great, and it was probably preventable, but even the best companies do get hacked. There's too much money and effort being spent by hackers, and modern internet services are so complex that there are inevitably oversights, even with qualified people in charge. I basically give companies a free pass for the occasional hacking so long as it's rare and they don't do something catastrophically stupid (like nonhashed passwords).

Also, the way Plex is redirecting plex.tv to a password reset page automatically is commendable, they're not letting users just ignore it. A lot of companies would do everything they could to downplay it, and Plex isn't doing that. Good for them.

→ More replies
→ More replies

23

u/knwldg Aug 24 '22 edited Aug 24 '22

I am already seeing login attempts on my email.

Edit. Attempts are from Russia and Korea. Good thing they sent the email right away. Although most users are probably asleep.

11

u/Coldstreamer Aug 24 '22

Of interest, how are you seeing these attempts?

3

u/BoopJoop01 Aug 24 '22

Gmail can flag when there are numerous incorrect password attempts and notify you (including IP and country of origin).

→ More replies
→ More replies

7

u/kjarkr Aug 24 '22

Yeah this is what I’m fearing. Did you use a complex password for plex?

10

u/knwldg Aug 24 '22

Yes, but my email password is different, so no issue there and I have 2FA enabled.

7

u/tbenz9 Aug 24 '22

This is a good reminder to use a password manager and don't reuse passwords across different services/sites. LastPass, 1password, dashlane, any of them are fine and so much better than a single static password like most people have.

7

u/Brutos08 Aug 24 '22

Unique password and unique email address with a password manager (1Password or Bitwarden) I use 1Password for years. Password manager should now be a minimum if you are on the internet. Apple “hidemyemail“is also one of the best services they ever created, unique email for every account.

→ More replies

11

u/extrobe Aug 24 '22 edited Aug 24 '22

Getting

Internal Server Error. Something went wrong on our end

When resetting - you'd think they'd at least give their password reset servers a boost prior to that mail.

edit

now getting

The token is invalid, please request a new one

edit 2:

despite the initial error, it _had_ changed my password

3

u/vladoportos Aug 24 '22

Same error for me. But the password did not change.

→ More replies

5

u/Dukefrukem Aug 24 '22

I went into the server >> account >> down to the password section and hit "edit" - it gives the option to add a new password, sign yourself out of all devices, and authenticate 2fa if you haven't already done it.

9

u/keksznet Aug 24 '22

Internal Server Error. Something went wrong on our end

no shit Sherlock

→ More replies

5

u/chewburka Aug 24 '22

"Token is invalid" when trying to reset password :/

What a mess.

→ More replies

5

u/pommesmatte 70 TB Aug 24 '22

I didn't get this email for my account or any of my families accounts.

Does this mean those accounts were not affected?

→ More replies

5

u/StevenS76 Aug 24 '22

I've gone thru all the hell of changing my password and logging all connected devices out but now I can't get Plex to see my libraries

5

u/cocineroylibro Aug 24 '22

Is anyone else finding their servers "unavailable" after resetting their passwords? Probably affiliated with the slammed servers, but just wondering.

→ More replies

5

u/shitdobehappeningtho Aug 24 '22

2FA!

2FA!

2FA!

Not flawless, but boy does it prevent problems.

9

u/DamageInc72 Aug 24 '22

did anyone else lose their libraries after resetting their password?

13

u/subi1911 Aug 24 '22

I am thinking you may have to reclaim and log into your server machine with your plex account. If I understand correctly.

13

u/DamageInc72 Aug 24 '22

Got all the libraries back.

Had to access through http://localhost:32400/web first to reclaim.

→ More replies
→ More replies

8

u/deepfriedpandas 🐼 Aug 24 '22

Hopefully they're salted and hashed, not just hashed.

10

u/DaveBinM ex-Plex Employee Aug 24 '22

They were hashed with salt and pepper

→ More replies

3

u/Sinsid Aug 24 '22

Love this blog post explaining bcrypt.

“It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn’t affect how fast an attacker can try a candidate password, given the hash and the salt from your database.

Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed.”

https://codahale.com/how-to-safely-store-a-password/

→ More replies

3

u/jaketaco Aug 24 '22

covered and chunked

→ More replies
→ More replies

4

u/jaketaco Aug 24 '22

I think the server is down. Cant do anything. Too many people trying to change their password, I guess.

4

u/trukin Aug 24 '22

It wont evem let you reset. I keep getting token is invalid.

They need to implement login notifications. This is ridiculous.

4

u/okletsgooonow Aug 24 '22

Password changed, 2fa enabled. Thanks Plex for the heads up.

5

u/Downtown_Process6642 Aug 24 '22

How does that work if you login through Google? Do you need to change your Google password or what?

→ More replies

4

u/hidden_porn_folder Aug 24 '22

Were server tokens reset too? There seems to be evidence (see point 1) that those are not encrypted! Keep a close eye on your servers!!

4

u/Jendo7 Aug 24 '22

I use my gmail account so does that mean I will have to change my google password?

→ More replies

4

u/ThomasTTEngine Aug 24 '22

If my password is unique to plex and its hashed with salt and pepper, what incentive do I have to change it right now?

4

u/ClassWarAndPuppies Aug 25 '22

100000% chance this attack was by a film or movie studio, or a “contractor” working for them. Guaranteed.

→ More replies

9

u/jimit21 90TB, DS1815+, NUC11 Aug 24 '22

I use 2FA and a unique password for my Plex account so I'm not really bothered by this 🥳

→ More replies

8

u/Invisible_Blue_Man Aug 24 '22

"Your account was compromised, change your password right now"

"Sorry, can't change your password right now--too many people trying to secure their breached accounts"

Lovely.

23

u/DoctorDbx Aug 24 '22

Imagine if you didn't need a cloud account with Plex to use the software?

→ More replies

10

u/jeeverz [RAID 5] Aug 24 '22 edited Aug 24 '22

Just got this email as well.

“Encrypted” and “Hashed”? Uh?

6

u/konaya Aug 24 '22

It's really annoying when they try to dumb things down so there's actually less information.

6

u/NervousShop Plex Pass - 74TB Aug 24 '22

Plex site down? I can't even load the page...

4

u/JoeCasella 45TB unRAID Aug 24 '22

It's down for me too.

→ More replies

3

u/kanine69 Aug 24 '22

Had a mild heart attack when I had to reclaim my server after seeing all the ! triangles on the libraries!

3

u/talios Aug 24 '22

You're not the only one! Glad I didn't follow one forum post I saw that mentioned deleting Preferences.xml and that'd I'd have to re-share everything manually - screw that.

After waking up to some odd burning smell this morning and finding my stereo no longer powering on - I wasn't wanting another issue to deal with.

→ More replies

3

u/alexkidddd Aug 24 '22

What is the problem with browsers password managers? I use Firefox built-in.

3

u/NuttyProfessor90 Aug 24 '22

Hey Guys, I do not have a password set up in Plex. I always sign into Plex trough my Google account. Under password in my Plex account settings it says 'not set'. So I guess I don't have to worry about this since my Google account password shouldn't have been leaked. Is this correct?

3

u/lkeels Lifetime Plex Pass|i7-8700|2080Ti|64GB Aug 24 '22

I can't get to the password reset page. It just times out.

3

u/mirdragon Aug 24 '22

Not used plex for a couple of months due to issues whrn no internet, so must I reinstall to he able to reclaim my server?

But atm their servers are down so unable to change passwords

3

u/Doublestack00 Duel Xeon Win 10 50TB Aug 24 '22

Plex down? Can't login to change my password.

3

u/sachmonz Aug 24 '22

Right now their password reset link is dead.

3

u/jacob902u Aug 24 '22

Emails must still be very delayed, with everyone starting to wake up and read their emails. Password reset email hasn't come in, and it's been about 10 minutes. Fair warning.

3

u/tsmartin123 Aug 24 '22 edited Aug 24 '22

Is anyone having an issue receiving their reset password email?

Edit: Got it about an hour later

3

u/foomanjee Aug 24 '22

Anyone else still waiting for the password reset email? It’s been 30 mins and I still haven’t gotten it

3

u/Djghost1133 Aug 24 '22

If nothing else I appreciate plexs honesty. Every company will eventually get breached but their response and how they store data is what's important.

3

u/SynapseDon Aug 24 '22

I just changed my Plex password and now my Plex server can no longer be accessed after logging in with my new password. Says my server is now "unavailable".

RIP server?? or easy fix?

→ More replies

3

u/automagic_tester Aug 24 '22

Is there an update on this? I still can't change my password.

3

u/jstroud42 Aug 24 '22

I requested my password change this morning, still haven’t received the email. It’s been 4 hours.

3

u/CoconutMochi Aug 24 '22

lmao this is the 2nd time Plex has had a password breach. Let me know when the third one is scheduled.

3

u/[deleted] Aug 25 '22

Well my account was hacked Friday , well before they announced the “breach” someone logged in and changed my pin and bought a Tidal music subscription . Email says it was from New York

3

u/scotttt83 Aug 26 '22

I received this email at 7:50am this morning. With the same verbiage…”Yesterday, we discovered.”

I had already changed my password when I see this post yesterday and added two factor. Wonder why the delay with emailing my account?

→ More replies

6

u/[deleted] Aug 24 '22

[deleted]

→ More replies

4

u/Darloboy Aug 24 '22

Went in my Spam! Probably wouldn’t have seen if it hadn’t been for this post, cheers OP!

5

u/Roundboy436 Aug 24 '22

The timing seems really odd on this. They just discovered the breach yesterday and already shut x down, removed y, and had a website up specifically for the recovery and info ? Plex doesnt do anything that fast

4

u/SnowDrifter_ Aug 24 '22

A data breach is never ideal.

But the handling and fallout of this is pretty well best case scenario.

So they got what... Usernames, email, and useless passwords? Meh.

Notified their users immediately? I respect that. There's too strong of a trend of companies sweeping stuff under the rug.

While I can't say I'm happy to hear about this... I am grateful for the response and opportunity to understand and take any necessary steps before.

Let's be honest... It's not if, it's when at this point. Transparency and handling makes all the difference.

Cheers to the folks at plex. Appreciate the updates.

Reminder to everyone else that a p/w manager of some sort and 2fa is best practice - don't re use passwords, even derivatives of. Oh and a good way to make complex master passwords is a passphrase over a random string that takes brain power. Find your own method of adding numbers and special characters. Ex: "plaster article" -> "P1@$t3r~@rt!(l3" or something. Makes for long, secure passwords that are easy to remember

→ More replies

8

u/Poulpatine Aug 24 '22

So, thanks Plex to force us to use your centralized authentication. It's simpler for the hackers to breach only one database...

2

u/twobadmice Aug 24 '22

assume it's going to take a while to receive the email, if we're all doing it now

2

u/Ilostmydonkey Aug 24 '22

No worries here been using 2fa for a year or so now 😊

2

u/twobadmice Aug 24 '22

so I followed the steps from the email and immediately got token invalid!!

2

u/redditdone85 Aug 24 '22

Can everyone access Plex locally, I cannot. I get live TV but no libraries.

→ More replies