- cross-posted to:
- selfhosted@lemmy.world
- cross-posted to:
- selfhosted@lemmy.world
We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
What happened
An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.
What we’re doing
We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.
What you must do
If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.
Additional Security Measures You Can Take
We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.
Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.
For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset
Then how would they email you?
Look at addy.io and similar.
I agree addy or simplelogin, etc are great.
I started using an email forwarding service when I setup a new email a few years ago and I still have zero spam, because as soon as one service sends one too many marketing emails that I can’t turn off, I simply disable the email alias I used with them (and enable it again if needed down the line).
This is the only way because no website, etc is gonna keep your email address safe and secure, because they don’t really care about you.
Using aliases everywhere also makes it hard to track you based on your email (assuming services share this between each other, advertisers, etc).
You must have a lot of trust in the email forwarding service you use though and I probably wouldn’t use them for anything very important like banks, etc.
Ideally, they wouldn’t
Decode like any other PII, so it is encrypted at rest and when stolen.
Encryption and hashing are different things. You can’t get the original back out of a secure hash. They’re used only to confirm that whatever piece of data you have now matches the one that was provided originally, because they produce the same hash. You can’t store hashes for any data that you ever want to be able to read.
e-mail hasing is viable if you are only using your email for sign in and account recovery. Unfortunately it’s not happening because every service would also want to send you periodical emails about other stuffs.
Yeah I want thinking when I wrote that. But the idea still stands encrypt the emails.
So not hashed, and readable through whatever API accesses it anyway.