- cross-posted to:
- selfhosted@lemmy.world
- cross-posted to:
- selfhosted@lemmy.world
We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
What happened
An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.
What we’re doing
We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.
What you must do
If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.
Additional Security Measures You Can Take
We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.
Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.
For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset
Well… I’ll be blunt here. I taught in an R1 institution for a bunch of years. Even people graduating with a Masters in the IT field can know very little about these subjects (which could be a statement of the program itself… but in my opinion mostly of the students lack to join concepts together as I literally had many of those students go through my security and operations classes). It’s possible for the best of us to be blind sided by random things that we didn’t recognize as a problem because we didn’t realize that concept x and y are related. I’m no exception to this and never claimed to be.
IT is a big field and security a hot-button, constantly growing, subfield of it’s own. Which doesn’t help… it’s breakneck to keep up with.
I don’t know of any single source of truths to give you here. Some basic tenants of security… Security through obscurity doesn’t work. Expose as little as you can. Keep everything you can behind some form of trusted/audited auth unless you really want it to be abused. Keep backups (3-2-1) of anything you care about. Encrypt wherever possible. MFA/2fa everything possible. Don’t reuse credentials. I’m sure there’s more that others could chime in with.
Ultimately all you can do is minimize your risk pool. It’s impossible to completely negate it. Keep an eye out on cyber news so you can learn the “new hotness” of the week as far as how things are getting attacked. It’s not necessarily something that needs to be feared, as long as you understand the risks.
You can probably start going through resources like https://www.w3schools.com/cybersecurity/ if you really want to pick up on the basics of stuff out there. And I don’t mind legitimate discussion most of the time if you want to talk about stuff, as grumpy as I might sound, I used to be an educator and have no problems with talking about the stuff I know. Though I am quite sardonic these days, it’s just my cope with the world as I see it fall apart.
The number one thing that helps learn all of it though… a homelab. Every. Single. Student I’ve ever talked to I told “get a homelab, try shit out”. In the context of my classes though, that also meant “try breaking it” too.
Thank you so much. Your knowledge is valuable to someone like me, at least!
I would assume the only thing I have exposed is Plex, since that’s the only thing I access outside of my home. I got the backups down pat now (through learning the hard way, unfortunately…). I use MFA for everything that offers it. I never use the same password for anything.
Seems like my trepidation for online stuff has helped me some in this case. I will definitely be checking out the w3schools, so thank you so much for providing that link!
All in all, your words have helped me today at the least, so I very much appreciate you taking your time to respond and help educate me. It means more than you will probably ever know. I don’t have tech people in my life, and have never had that. I’m the only one in any group I interact with that has any slight interest in technology. I learn best when it is under someone who knows what they are talking about or at the very least can provide ways to explain things.
Anyway, again, sincerely, thank you!
Yeah I feel this. These days it’s near impossible to just pick up on your own. When I was growing up and getting into it, you could still disassemble things and see how they were all connected (and poke at them to make it do weird stuff!). Now-a-days it’s all multilayer boards and impossible to piece together without an electrical engineering degree and an xray machine. It’s hard to ramp into the material when it’s such a vast topic that’s quite hostile to new blood.
The IT side has similar issues… Lots of stuff has been distilled to “this ansible script will handle ALL of it if you setup a 5 line config file” (Or a docker compose file that you just edit and run)… You miss all the backend stuff that’s happening and don’t get the understanding of how it all talks together and works.
Convenient… but not generally good for actual understanding.
Good luck on your IT adventures! Feel free to reach out again if there’s something you want to talk about.