On August 24th, 2022, Plex sent a subset of its users a notification of an incident that occurred on August 23rd, where they discovered suspicious activity on one of their databases. Plex noted that the attacker, who is unknown at this time, was able to access a limited subset of data, including emails, usernames, and “encrypted” passwords. No credit card or other payment data was stolen in this incident. Plex goes on to note that while all passwords were hashed and secured in accordance with best practices, all affected users should change their passwords out of an abundance of caution.
While Plex has advised users affected by this breach to reset their passwords, the password reset isn’t enforced via automatic sign-outs. Additionally, users are still able to log in with their old credentials without a prompt to change their password upon logging in. The true impact of this breach is unclear at this time, with some users reporting that the problem doesn’t seem to impact free accounts, but this claim is not yet verified at the time of writing. Further, in the early hours of August 24th, the Plex.tv website experienced an outage – it is unknown if this outage is related to the unauthorized database access, a separate DDoS attack, or something else entirely.