This morning, Plex began notifying users via email of a data breach. According to the company: In its statement, Plex said, “All account passwords that could have been accessed were hashed and secured in accordance with best practices.” The company also said that no credit card or other payment data were at risk, because that data isn’t stored on the company’s servers. The company is requiring a password reset for all its customers. This is a good time for us to remind you that you should never use the same password more than once. If you’re using the password you used for Plex on any other services, you should change that password (make them unique, please!) for those services as well. Plex reported that they have undertaken some mitigation efforts: Earlier, right after receiving the company’s email notification about the breach, I was able to reach the site. As of that time, the company hadn’t posted any information about the breach to either their blog or press release feeds. However, I just went back to the Plex website to check on some information, and found it to be unreachable. One of my ZDNET colleagues in the UK (I’m in Oregon) confirmed it was down for her as well as it’s showing down on Down Detector. On one hand, this could be the result of all their users rushing to change their passwords, but it could also be indicative of an additional attack. Update: As of 8am ET, the Plex site is back online. Given that the company’s site is currently unreachable, this is probably an ongoing story. We’ll be keeping an eye on this. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.
