Plex started life as a fork of the open source XBMC (XBox Media Center) project, now known as Kodi. Back in the day, XBMC put a lean-back UI on top of a wide range of media playback codecs, allowing users to watch stored movies and videos on their TVs and computer screens. Over the years, Plex has carved out its own identity, adding streaming to its business model, and is today a wholly unique product compared to its XBMC roots.
This morning, Plex began notifying users via email of a data breach. According to the company:
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.
In its statement, Plex said, “All account passwords that could have been accessed were hashed and secured in accordance with best practices.” The company also said that no credit card or other payment data were at risk, because that data isn’t stored on the company’s servers.
The company is requiring a password reset for all its customers. This is a good time for us to remind you that you should never use the same password more than once. If you’re using the password you used for Plex on any other services, you should change that password (make them unique, please!) for those services as well.
Plex reported that they have undertaken some mitigation efforts:
We’ve already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions.
Earlier, right after receiving the company’s email notification about the breach, I was able to reach the site. As of that time, the company hadn’t posted any information about the breach to either their blog or press release feeds.
However, I just went back to the Plex website to check on some information, and found it to be unreachable. One of my ZDNET colleagues in the UK (I’m in Oregon) confirmed it was down for her as well as it’s showing down on Down Detector. On one hand, this could be the result of all their users rushing to change their passwords, but it could also be indicative of an additional attack.
Update: As of 8am ET, the Plex site is back online.
Given that the company’s site is currently unreachable, this is probably an ongoing story. We’ll be keeping an eye on this.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.