- cross-posted to:
- selfhosted@lemmy.world
- cross-posted to:
- selfhosted@lemmy.world
We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
What happened
An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.
What we’re doing
We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.
What you must do
If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.
Additional Security Measures You Can Take
We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.
Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.
For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset
Fair enough, I was not aware of this, and I wish the developers made this more clear in the issue thread. This does not change my point that my media is not confidential data. I do agree that it should be by default, but a “breach” where someone accesses a piece of media from my server has no tangible impact on me or my server. A breach that includes my email and account information, absolutely does.
I don’t entirely understand what this response has to do with what I said. I’m surprised to hear you say that people praise Jellyfin as being far more secure than Plex, as I have not heard that. Security has nothing to do with why I use Jellyfin over Plex.
I feel it’s overblown either way, as I don’t believe the average user considers their media sensitive enough for it to be an issue. I’m not treating Plex as worse. Again, I’M NOT THE ONE WHO SAID ANY OF THAT. I am simply stating that in this specific instance, this Plex breach has a worse impact than the Jellyfin security concerns you bring up.
My guy, I didn’t start the comment thread, I’m not the one who brought up Jellyfin. I also believe I responded to every point I made, while you ignored many of mine. I don’t know how you can say I’m not reading your comment. You’re being very weirdly hostile when I’m just trying to have a conversation. I don’t have significant stakes in either Plex or Jellyfin. I do prefer one, but I don’t give a shit what others want to use.
Just want to add that I’m not some completely uninformed user. I have a career in cybersecurity, as well as a degree and plenty of certifications. When discussing a vulnerability, we need to consider the actual risk of a vulnerability, using its likelihood of being exploited and its potential impact. The likelihood of someone attempting to brute force media on my Jellyfin is practically nonexistent, as they have essentially nothing to gain. At best, they find an episode of a show or movie that they could find elsewhere. The impact of someone exploiting this vulnerability is also practically nothing. They would get a stream of the video, minutely impacting the performance of my server.
Again, to be clear, I AGREE with sharing this information. People should be aware of this when using Jellyfin. However, it is not an issue for the majority of users. It is also not anywhere near as bad as a breach of actual account information, data that actually is sensitive. I do not agree with framing it to look like using Jellyfin should be considered generally insecure.
Edit: minor phrasing adjustments
Until a media company like Sony scans your server for their content and serves you a summons… Then it will have a significant impact on you. And I doubt the content that Plex leaked actually has any meaningful impact at all. It sucks… and is bad… but shit happens and nothing is perfect. I’m much more trusting of a company that actually responds and fixes problems that gets reported than one that hides in the corner with finger in ears for 5+ years.
We’re on a thread where Plex is being derided for a security problem… Where the principal comment I responded to says “Glad I’m on Jellyfin”. This is an implicit “jellyfin doesn’t have this problem, it’s secure” statement. Otherwise there’d be no point or relevance to the comment for the topic at hand.
You wrote
You are perpetuating that Jellyfin is “secure” to use on the internet. I was directly referencing what you said. I’m not sure why you keep thinking I’m talking about something else.
I’m a CISO. I hire people like you and give you your job. I’m also no “completely random” but playing the appeal to authority card is stupid on a random internet forum. If I were to leak content secured by the applications that I have security ownership of. I’d be completely fucking jacked. Leaking emails and password hashes are meaningless… emails are all well known and password hashes means I just force reset the entire userbase and move on. Plex’s “leak” is annoying… but not actually sensitive at all. You should know this. It will take a significant amount of time for the bcrypt+salted+peppered passwords to actually be decrypted. There’s LOTS of time to hash that out, this email is the start of that process.
Now if your media isn’t worth securing… then why use authentication at all on Plex or JF? Why do you care about your account auth that protects your media if the media isn’t worth protecting? Why is it your default stance that exposing the media is such a nonissue… that your more worried about the data that secures your media more than the actual security of the media?
Unless you’re a media company like Sony, WB, or other company that actually has ownership rights of the IP that you’re storing. Remember… Sony has done things like install rootkits on their consumers computers in order to stop piracy. Why do you think that they’re above asking servers freely if they have their copyrighted content?
The impact isn’t a technical one. but a legal one. And JF could close that door and keep the media confidential in of itself so that this is a non-issue all together but specifically won’t because of “backwards compatibility”. But somehow you trust them to make secure decisions elsewhere with your content?
If you believe the threat of a company scanning a Jellyfin server in an attempt to find copyrighted media is a realistic one, then that’s fine. I do not.
As I said previously, friends and family use my server. Many who are likely to fall for phishing attempts after their email is leaked in a breach like this. I believe the likelihood of them receiving a malicious email from an attacker pretending to be Plex after a breach is much higher than a company successfully scanning my server for copyrighted materials.
Edit:
Like I’ve said a few times. I agree that this should be changed. I do very much hope that Jellyfin does so, and I do feel that it’s worth warning users about. I also still find Jellyfin to be a better option for me than Plex. My own risk tolerance allows for the incredibly tiny possibility a company successfully finds media on my server.
There is no point in continuing this discussion, as we simply disagree, and that is not going to change here.
So now your users could be phished by a Plex phish… which gets the attacker access to your plex instance upon success? But you already said that you don’t find that worth securing since in JF it’s not secure by default… I’m fully not understanding here. Is the worry that your users are reusing passwords?
Any user for your system getting an actual phish for plex will at worst get a request to pay for something. Of which I bet they’d talk to you about it as the server owner first since I doubt anyone would want to pay for something you’ve given them for free.
I’m not seeing the risk here. Want to expound on that? I can clearly see the risk of direct media access if copyright holders start making random claims for things they find on default insecure servers.