- cross-posted to:
- selfhosted@lemmy.world
- cross-posted to:
- selfhosted@lemmy.world
We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
What happened
An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.
What we’re doing
We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.
What you must do
If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.
Additional Security Measures You Can Take
We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.
Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.
For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset
Doesn’t matter if your info is stolen?
Name email address, password, access history, and probably IP and location…
And that’s just what they disclosed, but they don’t have any timeline or real actions taken to prevent continued access. They don’t even tell you what exactly has been accessed: “information that was accessed included emails, usernames, securely hashed passwords and authentication data.”. It’s really not text book response for a security breach.
But all of that is less important to you than the fact you have Avengers: Endgame in your library?
They are leeches taking money from you, but you 'd defend them even if they killed your dog.
Edit: it’s the third time in a decade Plex got hacked. Please list instances where jellyfin leaked the data of all their users.
Interesting that you assume this is the list of taken things when that wasn’t what was disclosed to us. And Plex has been absolutely forthcoming with this in the past.
Literally everyday since those attack vectors are actively open right now and have been open for 5+ years (jellyfins whole lifetime) and proof of concepted for the developers that whole time.
They do give what has been taken, tho not the complete list so what exactly is anyone’s guess. By authentication data I assume the history of logins. What I listed is nearly literally what they said.
That’s not exploitation nor any proof of any data being leaked. Plex was hacked three times, not theoretically like jellyfin, but 3 actual times their service was breached and hackers stole data…
You do you and keep using it if that makes you feel good, but saying jellyfin is less secure than Plex at this point is laughable.
The proof of concept is in the original JF issue on github. It’s not theoretical. It’s just not known to be actively abused right now… It could very well be abused… and I actually even made my own proof of concept that works. Nothing stops someone from cluing Sony’s lawyers in on the matter and handing over the proof of concept for money… Then what do you do? Just because we “think” it’s not being abused doesn’t mean that you ignore it.
You can probably leave your front door unlocked… until one day somebody just walks in and takes your stuff. They may only take stuff that you don’t find important, that makes it okay right?
It’s more akin to having your CD/DVD library visible through the window. All while asserting it’s better to write your info in a place that already has been broken into 3 times.
Sure jellyfin could do better, but the impact is overblown while literal PII has been stolen from Plex… Sure Sony could see you have Avengers on your instance. Could they prove you got it illegally just from that?
Only takes finding one item that was “streaming service only” to subpoena everything else and require you to provide evidence in court… And yes… I don’t keep things visible in my window that might cause me legal trouble. I wouldn’t have guns mounted on my wall in a state that has a gun ban, then cops have plain-view reasoning to break my door down and take me to jail. This is well litigated. Just like bypassing security features is against the law (as a general rule)… but lemmy doesn’t put those endpoints behind any lock of any form, which loses it it’s protection.
Your argument is literally the same argument that police use to enforce drug laws. Which most of lemmy is against as a general rule. I’m not sure why you think this logic is okay here.
And no… seeing a disk would imply ownership as it’s readily known that DVDs and Blurays possession is a license to have the content. Where digital ownership is not a give just by having the file.