What happened

Plex says it identified unauthorized access to a database containing account information. After investigating the incident, the company moved to contain the intrusion, hardened affected systems, and initiated a precautionary password reset for users. The goal is to prevent attackers from leveraging any exposed login details and to ensure that all active sessions are protected.

While the investigation is ongoing, Plex indicates that core services remain operational. The company is communicating directly with customers via email and in-product prompts to guide them through the reset process and recommend additional security measures.

What data may be impacted

According to Plex’s notice, the information potentially exposed includes:

• Email addresses associated with Plex accounts
• Usernames or display names
• Password hashes (secured using industry-standard hashing and salting)

At this time, Plex states there is no indication that payment card details or billing information were exposed, as such data is typically handled by external payment processors rather than stored on Plex’s core systems.

Who is affected

Out of an abundance of caution, Plex is instructing all users to reset their passwords, not just a small subset. Even if your account shows no unusual activity, you should complete the reset and review your sign-ins across all devices.

What Plex is doing now

• Enforcing password resets for users
• Invalidating active sessions where appropriate, requiring fresh logins
• Applying additional security hardening and access controls
• Continuing a forensic review to confirm scope and root cause

Plex also recommends that customers enable two-factor authentication (2FA) to add a second layer of protection to their accounts.

What you should do right now

1. Reset your Plex password:
   • Go to the official Plex site (plex.tv) and sign in, or follow the password reset link provided by Plex in its notification.
   • Create a strong, unique password you are not using anywhere else.
2. Sign out of connected devices:
   • After changing your password, use the option in your Plex account settings to sign out of all devices or review active sessions one by one.
   • Log back in only on devices you trust.
3. Enable two-factor authentication (2FA):
   • In Plex account settings, turn on 2FA and register an authenticator app (e.g., Authy, Google Authenticator, 1Password).
   • Save your backup codes securely in case you lose access to your authenticator.
4. Watch for phishing and scams:
   • Be cautious with emails asking you to “verify” your Plex credentials or payment info.
   • Navigate directly to plex.tv instead of clicking links in unsolicited messages.
5. Update reused passwords elsewhere:
   • If you used your previous Plex password on other sites, change those as well—preferably to unique passwords managed by a reputable password manager.

Step-by-step: Resetting and securing your account

1. Visit plex.tv and choose “Sign In.”
2. Select “Forgot?” or “Reset password” and enter your account email.
3. Follow the link from Plex’s email to set a new, strong password (16+ characters; include a mix of letters, numbers, and symbols).
4. After resetting, open Account > Security and:
   • Enable two-factor authentication.
   • Review “Authorized Devices” or “Active Sessions.” Revoke anything unfamiliar.
   • Use “Sign out of all devices” if you’re unsure about any entries.

Practical security tips going forward

• Use a password manager to generate and store unique passwords across services.
• Regularly check account activity logs where available.
• Consider a separate email alias for streaming or media services to compartmentalize risk.
• Keep your Plex Media Server and apps updated to the latest versions.

Frequently asked questions

Was my credit card information exposed?

Plex says there’s no evidence payment details were affected. Typically, credit card processing is handled by third-party providers, and full card data is not retained by Plex.

Do I have to reset if I use 2FA?

Yes. 2FA is an important safeguard, but Plex is still asking users to change passwords as a preventive step.

Do I need to re-login on TVs and streaming boxes?

Likely yes. After you reset your password and revoke sessions, you’ll be prompted to sign in again on your Plex apps and clients.

How can I confirm official communications from Plex?

Verify the sender domain and avoid clicking on unexpected links. For safety, go directly to plex.tv and check your account notifications or Plex’s official status and support pages. Reputable coverage, such as reports from BleepingComputer, can provide additional context, but make changes only through official Plex channels.

The bottom line

Plex has moved quickly to contain a breach involving account data and is requiring password resets as a precaution. Take a few minutes to change your password, enable 2FA, and review your active sessions. These steps greatly reduce the chance of unauthorized access, both now and in the future.