We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.

What happened

An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.

Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.

What we’re doing

We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.

What you must do

If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.

If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

Additional Security Measures You Can Take

We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.

Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.

For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset

  • MaggiWuerze@feddit.org
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    2
    ·
    2 months ago

    Love you for still trying. I don’t know how often I’ve written the same comment. They simply don’t care.

    • Saik0@lemmy.saik0.com
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      2 months ago

      I think people think that I’m anti-jellyfin or something. I’d love to dump Plex… I WANT to dump it so bad (basically the day they did the arcade shit I’ve been highly turned off, what was that? 6 years ago?). But Plex is the best tool for what I need. Jellyfin could be there… But it’s not. Everytime I see it recommended blindly without the massive caveats (especially in the context of a random Plex fuckup that is substantially less of a problem) I just feel compelled to attempt to remind people. I dunno. Deaf ears maybe… but blind trust just because it’s open source isn’t the answer either. And honestly it turns me off contributing to some of the projects that I do because if I was to speak out about problems in those… how many people would listen?

      The most succinct response I’ve seen on the matter “The statements The Jellyfin Project makes about exposing Jellyfin directly to the Internet, without a reverse proxy, is less about Jellyfin being insecure and more about there being no effort made to make Jellyfin secure.”

      • MaggiWuerze@feddit.org
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        2 months ago

        Yeah, me as well. I have a Jellyfin configured and ready to go, but since I share my Plex with a lot of users, half of whom would be turned off by the need of a vpn, I won’t switch until they’ve sorted their shit out.

        and more about there being no effort made to make Jellyfin secure.

        That’s exactly it. And I feel the devs found that their users don’t care or will even defend it, so they won’t tackle it and avoid the problems that come with a rewrite of parts of their api. Plex gets flag for not adding quality of life features people want for the media player, but Jellyfin gets a pass for actual security issues.

      • AmbiguousProps@lemmy.today
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        2 months ago

        I agree. I’d 100% love to dump Plex immediately, but trying to get my MIL across the country to setup a VPN is just not going to happen. Even if I ship a preconfigured raspberry pi over there, it won’t work for her TV and if it breaks, she’s gunna want me to go out there and fix it. If Jellyfin ever gets it together enough for that to no longer be necessary, I’ll leave plex. But for now, I’m gunna unfortunately stay with Plex

      • theherk@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        3
        ·
        2 months ago

        It seems strange to me that you feel a service which forces you to log into a cloud service then leaks private data is somehow better than a service that allows users to operate strictly offline.

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          2
          ·
          edit-2
          2 months ago

          Feels strange to me that we just accept

          comments like these that imply that jellyfin is a direct replacement for Plex when you yourself say it’s not. Especially an implication that you’d only “hack one” when the software itself has a massive gaping hole on ALL installs. Your only saving grace is if you deviate from “standard” install procedures.

          I’ve already mentioned it several times. I want to dump Plex. I don’t like the SSO that they solely control. I don’t like many of the changes that they’ve made in the 12 years I’ve been using it. It’s still the best product for watching my content.

          Nobody is running Jellyfin strictly offline. At the bare minimum people leave it internet connectable to grab metadata and other resources, and more realistically in the context of a topic about Plex, Jellyfin would need to be internet accessible because that’s why people are using Plex. The jellyfin devs have already made it clear they don’t care about security issues. Why are you trusting the software when they ignore simple to fix issues that have merges waiting but they won’t implement because “reasons”. What other issues could be lurking leaving you open for liability? If someone can show you an issue from 5 years ago that is categorically a security issue and the devs refuse to fix it… you should also be questioning EVERYONE who advocates it’s use to replace a service that’s meant to be accessible in the way Plex is.

          Edit: adding a little bit… forgot about it.

          • theherk@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            comments like these that imply that jellyfin is a direct replacement for Plex when you yourself say it’s not.

            I didn’t say that. I agree with it though. They aren’t 1:1.

            I’m not arguing with me about the merits of you using Plex. Entirely possible it suits your needs better. But most important to many of us is the ability to run offline. Once you’re online, you’re right that Jellyfin has some ground to make up.

            Nobody is running Jellyfin strictly offline. At the bare minimum people leave it internet connectable to grab metadata and other resources,

            I run it offline, in a network that doesn’t even have a path from the outside world. I have a separate gluetun network for getting metadata outside the media server. Even still, connecting to the internet is a vastly different security service that allowing connections from the internet.

            I wouldn’t even really debate any of your negative points about Jellyfin; all true. I’m just saying Jellyfin is a replacement for Plex in many cases, even if not yours. For me, where I want to run offline a service that doesn’t force me to log into a cloud server to watch my own stuff on my own network, it is a replacement. And on top of that, I just like it more. I like the interface more and feel its syncplay is less problematic.

            • Saik0@lemmy.saik0.com
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              1
              ·
              edit-2
              2 months ago

              I didn’t say that. I agree with it though. They aren’t 1:1.

              I was referencing the picture… which was the original comment I replied to. I recognized that your comment delineated that jellyfin should be offline. I appreciate that. I wish I saw more of that. This way we don’t screw the new people to our media hoarding ranks. (I mean seriously… There’s people like this out there… https://www.shodan.io/host/180.125.230.199 They’re part of this community… somewhere.)

              I like the interface more and feel its syncplay is less problematic.

              It is… And I’m actually quite jealous that you have people using your server that you can watch movies together with… and are all using and capable of using a tunnel service without stupid amounts of support or other equipment limitations (good luck getting a vpn working on a Roku tv!). But if I want to syncplay with my family… plex is the only sane answer, regardless of it’s functional flaws.

              Edit: or even worse… This person…https://www.shodan.io/host/136.61.116.233 Where you can see the jellyfin service user that has a valid login on rdp… and their jf is accessible at jellyfin.nonooculusnas.com. It’s even behind Nginx Proxy Manager! (which is recommended by the JF dev team) Yet still responds to probing for content…

              • LucidNightmare@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                2 months ago

                If I were you, I wouldn’t even let the others flabbergast you!

                Thank you so much for providing so much detail in your comments. I have actually learned a thing or two about Jellyfin. I, like you, am wanting to get off Plex ASAP, but haven’t had the time to sit down and go through with it just yet. Thanks to you, I see those Shodan examples you provided, and the fact that their freaking LOGIN shows up is beyond scary to me.

                I appreciate what you have shared. Thank you!

                • Saik0@lemmy.saik0.com
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  2 months ago

                  eh, I’m probably pretty grumpy about this discussion because I keep having the same exact 4-5 talking points “discussed” over and over just every few months. So I get that I’m probably not the most fun to interact. But this is the point. If nobody ever brings up these issues (including the JF devs themselves on their install documents) then we end up with more people like these shodan people.

                  The JF devs had a 5 year opportunity to close one massive big hole, that would have been simple and easy. The issues related to it are well known to the dev team and proof of concept was submitted over 5 years ago to them. They actively refuse to merge the code that would fix it because of “reasons” (most cited being “compatibility” with some players). And the most cited solution is “reverse proxy”, which is fine… but don’t resolve the problem on it’s own. Case and point with the second shodan link you can reach their instance and you can try the calls and it still “works” even though it’s behind NGINX.

                  This is a massive problem that isn’t being abused yet that we know of… but that problem is in EVERY JF instance… and has been the whole time JF has been a project since that problem was in the version of emby that JF is forked from. So to say that “Plex bad cause security!” when they specifically notify and do the “right” things in response to a problem is crazy when JF’s answer has been literal crickets for half a decade.

                  But yeah, Shodan in general is a really fun tool. It’s good habit to check your own stuff out and see what you’re exposing to the world that’s just findable.

                  Here’s another thing lots of people overlook. If you use let’s encrypt or some other service… look into pulling wildcard certs instead of your specific jellyfin subdomain. https://crt.sh/ and other sites will record every public cert that’s registered. Pop your own domain in… Can search for all sorts of stuff this way too.

                  • LucidNightmare@lemmy.dbzer0.com
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    ·
                    2 months ago

                    I’ll be honest, even this is all new to me. I’ve had troubles wrapping my head around certs and ports, so I’ve always just never even tried anything that would make a port available (as far as I am aware…) so your points have at least reached an audience who appreciates the examples you’ve provided.

                    Feel free to ignore if you don’t have the mental energy or will to, but where could I find a good source for learning this type of stuff without finding out the hard way like some of those poor people on Shodan? You’ve awakened a fear I didn’t even know I had. lol