Plex got hacked. - eviltoast

We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.

What happened

An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.

Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.

What we’re doing

We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.

What you must do

If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.

If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

Additional Security Measures You Can Take

We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.

Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.

For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset

  • Saik0@lemmy.saik0.com
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    2
    ·
    2 months ago

    That would be a perfectly valid answer… But the Devs have posted several times that they’re not interested in resolving it.

    I’d accept a checkbox on install of Jellyfin for “Check this box for better security… some unsupported software might not like this. Go to Options/blah/blah to change this later if you need to change this later.”

    I’d probably shut the fuck up about this whole thing and dump Plex. But every single time Plex ends up in an article there’s people singing praises about Jellyfin when there’s completely open endpoints… It just baffles me. Downvotes be damned, I’ll bring it up though when I see it since the devs won’t bother telling people their software has a potentially big problem (especially if you use default configs, docker, and *arr stacks).

    • Gravitywell.xYz@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      2 months ago

      Well its good to make sure people know about it, but I would think most admins already know and just don’t care. Its certainly not news to me, and doesn’t seem very useful in terms of actually exploiting anything.

      I’m curious what youd think a kind of worst case scenario would be for any of the current jellyfin auth issues. Like what would someone with bad intentions be able to do?

      I think the Plex issue with emails being stolen is a bigger problem because then those emails can get phished for their Plex accounts and possibility more. I still wouldn’t consider it a huge deal though, Plex handled it correctly.

      My real issue with Plex and why I constantly shit on them is that they stole from XBMC and made a business model that monetizes piracy or at least tries to.

      • Saik0@lemmy.saik0.com
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        2
        ·
        edit-2
        2 months ago

        Stolen is a bit loaded in my opinion… XBMC was open source. All the parts that rely on that are available for free. Lots of websites out there sell shit… and run off of NGINX or Apache. taking open source things and building on them is common at this point.

        I’m curious what youd think a kind of worst case scenario would be for any of the current jellyfin auth issues. Like what would someone with bad intentions be able to do?

        Edit: Fuck, hit enter early… one moment. Edit2: here we go…

        you have your setup… you configured it like the git repo said too and even used the container guide told you to (https://jellyfin.org/docs/general/installation/container/). You have now standardized the path… because the internal path that is recommended in the official compose will likely not change… (especially in the linuxserver version, https://hub.docker.com/r/linuxserver/jellyfin). Then you hear about *arr stack stuff and how people evangelize that on this platform too ( I’m one of them!). Standard naming convention gets applied there too…

        So now bigbucksbunny.mov is stored on /data/movies/bigbucksbunny(2008)/bigbucksbunny.mov. You can pre-calc that md5 hash and probably nail people right now and get a result. Now be SONY or some other lawsuit happy studio. Grab a list of all your releases and precompile common paths and names (this would like be something that an LLM would be good at doing… fetching lists of paths that people post on reddit and other places)… generate the MD5 list. Maybe 1000 permutations of your top 10 movies… bonus points if there’s no physical release (since you could claim that you ripped the content yourself… can’t do that on streaming only content). Curl through the list of 10000 variants… if you get a hit on anything then you know they have your content… and it’s publicly accessible (which could be argued in court for distribution… though I’m not a lawyer and don’t know how reasonable that is.) You as the owner would then be on the hook… and lawsuits would commence promptly.

        This is a potential “worse case” in my mind. Of course because they have evidence of access direct from your system, they can then subpoena access to the whole system… where your whole library becomes available for them to search further for more copyright violations and now your in real deep shit to explain to the courts.

        Now… if you’re in a country that doesn’t care! Cool… just stop recommending Jellyfin to those that would get fucked by this. Are there ways to mitigate this highly? Absolutely… fail2ban, anubis, cloudflare bot detection shit, changing paths or adding GUID to your media library path… all can probably fix this… But none of that is in the jellyfin docs… and NOBODY else seems to mention it except for me when this discussion comes up… So how many people are actually doing it?

        • Gravitywell.xYz@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 months ago

          Stolen is loaded… XBMC was open source. All the parts that rely on that are available for free.

          Okay so they violated the GPL to produce their product, it started off on good terms and contributing back up stream but then they got greedy and decided to stop giving back, On top of that they also provide nothing upstream to FFMPEG or any other of the open source projects they benefited massively from… basically they are leeches of open source software… but you are technically correct [1] to say its not literally stealing.

          [1] The best kind of correct

          • Saik0@lemmy.saik0.com
            link
            fedilink
            English
            arrow-up
            3
            ·
            2 months ago

            I just edited what I meant to originally send… Now I’m replying so you get flagged and can look at it. Sorry that I fat fingered the enter button and jacked up the thread. My bad.

        • Gravitywell.xYz@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          edit-2
          2 months ago

          Edit2: here we go

          That makes sense, I appreciate you taking the time. Its certainly not a very big issue for me personally, and i do have other mitigations in place for more general attacks like fail2ban, but not everyone is in the same situation so its a valid concern to mention.

          I do think you’re overestimating the risk, Studios are unlikely to go to such lengths when there are bigger, easier targets. Still, it’s not entirely negligible, even if the exploit seems fairly benign to me personally.

          My thinking as a sysadmin is if someone has security concerns, they wouldnt be JUST with jellyfin in most cases, you’d be securing an entire server (or paying someone else to handle that part), so its issues to keep in mind sure, but the mitigation would be mainly outside of jellyfin specifically anyway, thus why its not really mentioned in jellyfin’s docs or considered a big concern by the devs.

          So I’m not really disagreeing with anything you’ve said, but I you haven’t changed my mind either, I’m still going to recommend jellyfin over plex.

          • Rekorse@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 months ago

            Your recommendation should change depending on the needs of the person you are recommending too. If you recommended I change to jellyfin you would be wrong, for example.

            • Gravitywell.xYz@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              2 months ago

              I recommend self hosting, I don’t consider Plex to be shelf hosting since its so heavily depending on a third party corp to facilitate things.

              If you aren’t interested in self hosting i don’t have any suggestions for you other than to enjoy it while it lasts.

              • Rekorse@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                2
                ·
                2 months ago

                I’m not dependant on plex, it serves my needs best. If plex goes down I’ll use something else, like jellyfin. Jellyfin just isn’t better than plex for me.

        • Auli@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          2
          ·
          edit-2
          2 months ago

          I mean they could also just go to Plex and ask them what’s on your server. And don’t say they don’t know considering they sent emails about what you watched. And Plex is getting into the data selling game. I am surprised this hasn’t been done.

          • Saik0@lemmy.saik0.com
            link
            fedilink
            English
            arrow-up
            3
            ·
            2 months ago

            I mean they could also just go to Plex and ask them what’s on your server.

            There we go. Finally this argument came up… Plex doesn’t have a list of whats on your server.

            And don’t say they don’t know considering they sent emails about what you watched.

            They don’t. The metadata of “what you watched” recently isn’t attached to what data source it was watched from. You can go a search for a movie that isn’t on your server, click it and mark as watched and it will show up on that email list. You can also disable that function all together and then nothing is synced to them. You can also make a claim that they know what you have since you probably pull metadata on those items from them. Except you can pull metadata on just about anything without having the content at all.

            But once again… I’d love to get off of Plex. I want to actively get off of Plex. But Jellyfin is a worse pot to jump into.

    • Auli@lemmy.ca
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      5
      ·
      2 months ago

      Sure you always seem like a shill. You might not be but it comes across. Plex is not perfect either and has had breaches and been used to hack someones machine. As far as I know jellyfish has bit been used in that space and these issues could not be used for that.

      • Rexios@lemmy.zip
        link
        fedilink
        English
        arrow-up
        5
        ·
        2 months ago

        and been used to hack someones machine

        That person was using a horrifically out of date version of the plex server with known, documented, and already patched vulnerabilities.