Streaming media platform Plex sent out an email to all its users on Wednesday, August 24, advising them to change their passwords as soon as possible.
In the communication message, the company said it discovered suspicious activity on one of its databases on Tuesday, August 23.
“We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords,” Plex wrote.
The streaming platform did not confirm whether any personally identifiable information (PII) or private media libraries were compromised but did mention that all account passwords that could have been accessed were secured.
“Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset,” the Plex email reads.
“Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident,” the company added.
Further, Plex asked customers to make sure the checkbox “sign out connected devices after password change” was ticked during the password-changing process.
Despite Plex’s reassurances, however, some users experienced issues changing their passwords following the instructions provided by the company. Troy Hunt, Creator of “Have I Been Pwned,” suggested a possible solution to the problem.
“As others have suggested, not trying to sign out existing devices seems to work. Go figure,” Hunt wrote.
Since Plex sent out the email to warn users about the password breach, the Plex website has been generally slowed down, possibly due to multitudes of users rushing in to change their passwords. At the time of writing, however, the site seems to be loading normally.
The Plex breach comes weeks after hackers reportedly stole 20GB of data from one of Marriott International hotels in the US.
More generally, a recent report by IBM suggested that the average cost of a global data breach stood at $4.35m as of July 2022.