A Security Incident That May Involve Your Plex Account Information

Posted4 months agoActive4 months ago

Shank

39 points

33 comments

forums.plex.tvTechstory

skepticalnegative

Debate

60/100

PlexSecurity IncidentData BreachPassword Management

Key topics

Plex

Security Incident

Data Breach

Password Management

Plex users are notified of a security incident potentially involving their account information, sparking concerns about password management and the company's transparency.

Snapshot generated from the HN discussion

Discussion Activity

Very active discussion

First comment

Peak period

0-2h

Avg / period

4.1

Comment distribution33 data points

Loading chart...

Based on 33 loaded comments

Key moments

01Story posted
Sep 10, 2025 at 3:00 AM EDT
4 months ago
Step 01
02First comment
Sep 10, 2025 at 3:02 AM EDT
3m after posting
Step 02
03Peak activity
23 comments in 0-2h
Hottest window of the conversation
Step 03
04Latest activity
Sep 10, 2025 at 9:25 PM EDT
4 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (33 comments)

Showing 33 comments

cranberryturkey

4 months ago

2 replies

use zymotv instead of plex or emby

colordrops

4 months ago

1 reply

Or better yet use Jellyfin.

hnlmorg

4 months ago

2 replies

I’ve been considering switching to Jellyfin.

I’m getting increasingly frustrated at just how badly Plex behaves for home set ups. Which is the entire point of installing something like Plex.

Most annoying still, I’ve even paid for their premium products in the hope that it would make things behave better and it did not.

The only reason these security incidents happen is because Plex try to extort home users. There isn’t any other compelling reason to have your details on their database with credentials to active installs.

wiether

4 months ago

I am part of a network of "Plex admins", meaning each one of us own and maintain their own Plex server with their own library.

Thanks to the centralized Plex account, we can share our libraries with each other in a few clicks.

You can do the same if you don't have a server also, basically being a member of various Plex server and accessing everything through a single account and interface.

Sure, requiring an account if all you want to do is being the single user accessing your own instance is useless, and if it's your usecase, then Plex is not the right tool for you.

I tried Plex, Emby and Jellyfin, but I staid with Plex because of this easy sharing feature.

Sheeny96

4 months ago

I run my Jellyfin on a Pi 5 8GB (with a bunch of other homelab stuff) and run an OSMC (Kodi + Jellyfin plugin) on a Pi 3b 2GB with absolutely no issue. OSMC automatically integrates with my TV remote, runs very low power and smooth. I never used any of the Plex stuff that wasn't my media, so I prefer it this way. Less bloat, more customisable.

bigiain

4 months ago

2 replies

Is Emby somehow related to Plex?

I use Emby, only because a few friends did and recommended it. I'd probably switch ti something more secure and/or open source given the right push.

ksynwa

4 months ago

1 reply

Emby and Plex are separate projects. Jellyfin is a hard fork of Emby.

bigiain

4 months ago

Thanks :-)

crooked-v

4 months ago

From what I understand they're unrelated and the similarities come from convergent evolution.

rockbruno

4 months ago

2 replies

I made an account there to use my Home Assistant as a media server and it's already the second time they reported that they messed up something. I heard you can install VLC on the Apple TV and stream through that, so I'll definitely do that and skip these weird middle companies.

dav43

4 months ago

I just use infuse or vid hub app and an SMB share.

Tajnymag

4 months ago

Why not use Jellyfin then? It's basically an open source alternative to Plex. You run Jellyfin on your server and in Apple TV use Swiftin (Jellyfin + Swift) for integration.

amatecha

4 months ago

2 replies

Once I saw Plex required an account even to self-host, it was a no-go for me. Stuff like this is why. (among other reasons, like "why should I go through a 3rd party for something I'm 100% hosting on my own hardware/network")

I've been very happy with Jellyfin FWIW :)

nsbk

4 months ago

1 reply

I switched to Jellyfin last year and never looked back. The only thing I find lacking is the Apple TV App, I tried Swiftfin but it stutters the whole time when playing high quality UHD content. I tried Infuse and it works much better

timothevs

4 months ago

Have you tried Infuse?

shellwizard

4 months ago

The big selling point of Plex vs jellyfin is that their app is in all of the major stores.Samsung smart TVs for example

untrimmed

4 months ago

1 reply

I appreciate the transparency, but the phrase securely hashed always makes me a little nervous. It's a huge spectrum, right? We talking bcrypt/scrypt with a proper salt, or something from the old days?

jorams

4 months ago

When they got hacked three years ago the notice included this:

> Even though all account passwords that could have been accessed were hashed (with bcrypt plus salted and peppered) and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.

Whether that later changed for the worse is anyone's guess.

m4tthumphrey

4 months ago

3 replies

I am a huge Plex power user; watching something at least once a day.

Unfortunately, Plex is a bit of a mess these days - constantly pushing Live TV on us, requiring internet access to access local media (this is a killer whenever internet goes down), overly complex, clunky remote access (altho this is much better these days). But it still isn't bad enough to make me try and migrate. I love my local setup (Sonarr and a custom app for movies as Radarr is OTT for the amount of movies we watch) and Plex is very polished (compared to the alternatives) but I do wonder how much longer it will be around.

t0lo

4 months ago

1 reply

Conversely I love the plex tv channels as an alternative to regular australian free to air- same as the lg channels.

Easy way for me to turn my brain off and find a good documentary/educational show at the end of the day

m4tthumphrey

4 months ago

I don't mind them doing it, but they shove it in my face constantly when I've clearly said I am not interested.

stinky613

4 months ago

1 reply

> requiring internet access to access local media

Good news! You can whitelist exceptions by IP/subnet

Go into Plex Settings, then Settings > Network (show advanced). Scroll down to "List of IP addresses and networks that are allowed without auth"

"Comma separated list of IP addresses or IP/netmask entries for networks that are allowed to access Plex Media Server without logging in. When the server is signed out and this value is set, only localhost and addresses on this list will be allowed."

Put your local subnet and netmask into that (e.g. "192.168.1.1/255.255.255.0") and you should be all good

FYI, I also have "Secure Connections" set to "Preferred", but I don't know if that makes a difference for this or not

m4tthumphrey

4 months ago

NO WAY!! I will check this out later! Thanks!

add-sub-mul-div

4 months ago

Live TV is magical when you set up ErsatzTV and self-host that part as well. You can make channels out of anything. The modes of "I want to watch this specific thing now" and "I want to see what's 'on' right now and pick something to put on in the background" are very different and complementary. I end up relying on the latter more than the former.

wiether

4 months ago

1 reply

PSA: If you are the owner of your Plex server and follow the _Sign out connected devices after password change- as they suggest, your server claim will also be expired.

So you'll have to get a new claim from https://www.plex.tv/claim and set it on your server; through the PLEX_CLAIM env var if your setup involves Docker.

They talk vaguely about it under _Common Issues_ but it wasn't on the original email, so I lost 15 minutes of my day because of this...

cprecioso

4 months ago

1 reply

Yep, this was a huge hassle for me, I didn't realize it would happen!

Another option is to do `ssh -L 32400:localhost:32400 <your-plex-address>` and connect to http://localhost:32400/web, it will let you claim the server as it detects the connection being local.

mixedCase

4 months ago

Thanks for the one-liner, solved it within 30 seconds!

8cvor6j844qw_d6

4 months ago

Anyone remember a few years back there was a major Lastpass data breach?

I roughly recall Plex is somewhat involved in the compromise. One of the Lastpass employees compromised via Plex that leads to Lastpass data breach if I'm not mistaken.

spondyl

4 months ago

Thanks for the reminder. I went to reset my password when the email went out but when following the reset flow, I hit a Cloudflare page (due to the origin presumably having crashed) and got sidetracked

tucnak

4 months ago

On a related note; if you're still considering whether you should put passwords, or rather, hashes thereof—in your application database of choice—please, decide against doing so at all costs! Instead, you should probably use a dedicated secret management deployment: think Hashicorp Vault[1], OpenBao[2], or Keto[3] if you'd like to go beyond with ReBAC (Relationship-based access control) of Google's Zanzibar[4] fame. The benefits of a HA deployment like this far outweigh the upstart integration costs as you get to use a single, shared frame of reference to reason about your internal and external resources alike. Customer passwords, passkeys, certificates, internal CA, ACME, at-rest, in-transit, what have you, is controlled from a single point of consumption with one policy space to rule them all. It helps to use dedicated HSM capability, too. In cloud environments, AWS Nitro enclaves exist now; you could put something like Vault inside one[5].

Vault is more or less Old Testament, though, so if you're serious about zero trust, Zanzibar paper is a must-read!

Relationships lend nicely to AI agent stuff, where RBAC is putting you at a disadvantage. It's hard to express both direct and indirect access patterns in RBAC. For example, whenever agents would act on your, or your user's behalf within a clearly-defined scope (sic!) This is where traditional RBAC breaks down, whilst ReBAC really shines for expressing relationships between user/agent/system identities, thus greatly simplifying checking, scoping, audit.

[1]: https://developer.hashicorp.com/vault

[2]: https://openbao.org/

[3]: https://www.ory.sh/keto

[4]: https://research.google/pubs/zanzibar-googles-consistent-glo...

[5]: https://edgebit.io/enclaver/docs/0.x/guide-vault/

bigiain

4 months ago

Dupe?

https://news.ycombinator.com/item?id=45174684

(Or at least related, this submission has the plex.tv website breach notification, not just the text of the email.)

gbil

4 months ago

I can only comment that their communication on the incident is lacking, I've read about the incident yesterday and only today I received the relevant email. On top, it seems that all of a sudden I started getting marketing emails from them although I had unsubscribred in the past, coincidence?

joecool1029

4 months ago

Maybe related to last month's serious vuln: https://app.opencve.io/cve/CVE-2025-34158

View full discussion on Hacker News

ID: 45194218Type: storyLast synced: 11/20/2025, 1:42:01 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN