Plex Suffers Second Major Data Breach in Three Years, Urges Password Reset

Media streaming platform Plex is forcing password resets for its millions of users after confirming a cybersecurity breach where attackers accessed customer authentication data. According to an official breach notification obtained by BleepingComputer, the compromised database contained:

• Email addresses
• Usernames
• Securely hashed passwords
• Account authentication tokens

"An unauthorized third party accessed a limited subset of customer data from one of our databases," Plex stated. "While we quickly contained the incident, information that was accessed included emails, usernames, and securely hashed passwords."

Critical Security Gaps
While Plex emphasized passwords were "securely hashed in accordance with best practices," the company notably withheld details about the specific hashing algorithm used. This omission raises significant concerns among security experts, as weaker hashing functions (like SHA-1 or MD5) could allow attackers to crack passwords through brute-force attacks.

Immediate User Action Required
Plex urges all users to:
1. Reset passwords immediately via plex.tv/reset
2. Enable the "Sign out connected devices after password change" option during reset
3. For Single Sign-On (SSO) users: Log out of all sessions via plex.tv/security
4. Activate two-factor authentication (2FA) for enhanced protection

The password reset will terminate all active sessions—requiring reauthentication on devices—but is critical for blocking unauthorized access using stolen tokens.

Recurring Security Failure
This incident mirrors Plex's August 2022 breach where attackers similarly exfiltrated hashed passwords and authentication data. The recurrence suggests systemic vulnerabilities in Plex's infrastructure, particularly around database access controls.

"The fact that nearly identical breaches occur years apart indicates fundamental flaws in security posture," noted a senior security engineer specializing in cloud platforms. "Hashing alone isn't enough—companies must implement zero-trust architectures and rigorous access monitoring."

Plex confirmed payment data was unaffected (as it's not stored on their servers) and claims to have patched the intrusion vector, though technical specifics remain undisclosed. The timing coincides with Picus Security's latest Blue Report revealing a 46% surge in successful password cracking incidents year-over-year—underscoring the critical need for robust credential protection.

Source: BleepingComputer