Media streaming and server app Plex is urging all users to immediately change their passwords after a “potential data breach” stemming from a hack on its systems. The team said it discovered suspicious activity in one of its databases on Tuesday which involved usernames, emails and encrypted passwords being accessed by the unknown hackers.

Soon after an email was sent to users warning them to change their passwords the plex.tv website went down, possibly under the weight of the number of people trying to change their login details.

Tech Monitor has contacted Plex about the cause of the site outage which prompted some users to take to Twitter and complain that after logging out of all devices they cannot get back in because the site is down.

Hackers were able to access a small subset of data from Plex (Photo: gorodenkoff/iStock)
Hackers were able to access a small subset of data from Plex. (Photo courtesy of gorodenkoff/iStock)

Plex is one of the most prominent self-hosted video platforms on the market. It is a client-server media player that lets users access photos, video and audio from their own collection that can be stored on Windows, macOS, Linux or in a special-purpose device such as a network attached storage device and digital media player.

The main interface to access these devices is an app available on desktop, mobile and most smart TVs and media devices. Users can then view video, audio and photos on multiple devices simultaneously. More recently, the service has started making other free TV and movie streaming platforms available within the Plex interface.

In an email sent to users affected by the data breach, Plex wrote: “While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.”

The streaming service began an investigation soon after noticing the unusual activity and found that the hacker had gained a “limited subset of data” and even though passwords had been “hashed and secured in accordance with best practices” it recommended that users change passwords.

The company says no payment data had been stolen as it is not stored on Plex servers and as such was “not vulnerable in this incident”.

Plex hack: security review ongoing

Plex says that it has addressed the method used to access its databases and is carrying out further reviews “to ensure the security of all of our systems is further hardened to prevent future incursions”.

“Long story short, we kindly request that you reset your Plex account password immediately,” Plex said in an email. It also urged users to tick the box to sign out of all devices, adding that “this is a headache, but we recommend doing so for increased security”.

“We sincerely apologise to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring.

“We are all too aware that third parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses.​”

Jake Moore, global security advisor at security vendor ESET, praised Plex for taking quick action to warn users of the data breach. He told Tech Monitor: “Plex has refreshingly forced a password reset on all accounts and made all users aware of what they should do now.

“The aftermaths of most data breaches are rarely open and transparent but this seems to offset the norm and offer their customers what they need. Once data has been exfiltrated, users need to be made aware immediately in case it jeopardises other accounts yet so often we see companies hold back this information from their customers until they have to which is often too late.”

Read more: Personal data breaches are falling – except in Russia