A security incident that may involve your Plex account information

https://forums.plex.tv/t/important-notice-of-security-incident/930523

39•Shank•5mo ago

Comments

cranberryturkey•5mo ago

use zymotv instead of plex or emby

colordrops•5mo ago

Or better yet use Jellyfin.

hnlmorg•5mo ago

I’ve been considering switching to Jellyfin.

I’m getting increasingly frustrated at just how badly Plex behaves for home set ups. Which is the entire point of installing something like Plex.

Most annoying still, I’ve even paid for their premium products in the hope that it would make things behave better and it did not.

The only reason these security incidents happen is because Plex try to extort home users. There isn’t any other compelling reason to have your details on their database with credentials to active installs.

Sheeny96•5mo ago

I run my Jellyfin on a Pi 5 8GB (with a bunch of other homelab stuff) and run an OSMC (Kodi + Jellyfin plugin) on a Pi 3b 2GB with absolutely no issue. OSMC automatically integrates with my TV remote, runs very low power and smooth. I never used any of the Plex stuff that wasn't my media, so I prefer it this way. Less bloat, more customisable.

wiether•5mo ago

I am part of a network of "Plex admins", meaning each one of us own and maintain their own Plex server with their own library.

Thanks to the centralized Plex account, we can share our libraries with each other in a few clicks.

You can do the same if you don't have a server also, basically being a member of various Plex server and accessing everything through a single account and interface.

Sure, requiring an account if all you want to do is being the single user accessing your own instance is useless, and if it's your usecase, then Plex is not the right tool for you.

I tried Plex, Emby and Jellyfin, but I staid with Plex because of this easy sharing feature.

bigiain•5mo ago

Is Emby somehow related to Plex?

I use Emby, only because a few friends did and recommended it. I'd probably switch ti something more secure and/or open source given the right push.

crooked-v•5mo ago

From what I understand they're unrelated and the similarities come from convergent evolution.

ksynwa•5mo ago

Emby and Plex are separate projects. Jellyfin is a hard fork of Emby.

bigiain•4mo ago

Thanks :-)

gbil•5mo ago

I can only comment that their communication on the incident is lacking, I've read about the incident yesterday and only today I received the relevant email. On top, it seems that all of a sudden I started getting marketing emails from them although I had unsubscribred in the past, coincidence?

bigiain•5mo ago

Dupe?

https://news.ycombinator.com/item?id=45174684

(Or at least related, this submission has the plex.tv website breach notification, not just the text of the email.)

rockbruno•5mo ago

I made an account there to use my Home Assistant as a media server and it's already the second time they reported that they messed up something. I heard you can install VLC on the Apple TV and stream through that, so I'll definitely do that and skip these weird middle companies.

dav43•5mo ago

I just use infuse or vid hub app and an SMB share.

Tajnymag•5mo ago

Why not use Jellyfin then? It's basically an open source alternative to Plex. You run Jellyfin on your server and in Apple TV use Swiftin (Jellyfin + Swift) for integration.

amatecha•5mo ago

Once I saw Plex required an account even to self-host, it was a no-go for me. Stuff like this is why. (among other reasons, like "why should I go through a 3rd party for something I'm 100% hosting on my own hardware/network")

I've been very happy with Jellyfin FWIW :)

shellwizard•5mo ago

The big selling point of Plex vs jellyfin is that their app is in all of the major stores.Samsung smart TVs for example

nsbk•5mo ago

I switched to Jellyfin last year and never looked back. The only thing I find lacking is the Apple TV App, I tried Swiftfin but it stutters the whole time when playing high quality UHD content. I tried Infuse and it works much better

timothevs•5mo ago

Have you tried Infuse?

untrimmed•5mo ago

I appreciate the transparency, but the phrase securely hashed always makes me a little nervous. It's a huge spectrum, right? We talking bcrypt/scrypt with a proper salt, or something from the old days?

jorams•5mo ago

When they got hacked three years ago the notice included this:

> Even though all account passwords that could have been accessed were hashed (with bcrypt plus salted and peppered) and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.

Whether that later changed for the worse is anyone's guess.

spondyl•5mo ago

Thanks for the reminder. I went to reset my password when the email went out but when following the reset flow, I hit a Cloudflare page (due to the origin presumably having crashed) and got sidetracked

m4tthumphrey•5mo ago

I am a huge Plex power user; watching something at least once a day.

Unfortunately, Plex is a bit of a mess these days - constantly pushing Live TV on us, requiring internet access to access local media (this is a killer whenever internet goes down), overly complex, clunky remote access (altho this is much better these days). But it still isn't bad enough to make me try and migrate. I love my local setup (Sonarr and a custom app for movies as Radarr is OTT for the amount of movies we watch) and Plex is very polished (compared to the alternatives) but I do wonder how much longer it will be around.

t0lo•5mo ago

Conversely I love the plex tv channels as an alternative to regular australian free to air- same as the lg channels.

Easy way for me to turn my brain off and find a good documentary/educational show at the end of the day

m4tthumphrey•5mo ago

I don't mind them doing it, but they shove it in my face constantly when I've clearly said I am not interested.

add-sub-mul-div•5mo ago

Live TV is magical when you set up ErsatzTV and self-host that part as well. You can make channels out of anything. The modes of "I want to watch this specific thing now" and "I want to see what's 'on' right now and pick something to put on in the background" are very different and complementary. I end up relying on the latter more than the former.

stinky613•5mo ago

> requiring internet access to access local media

Good news! You can whitelist exceptions by IP/subnet

Go into Plex Settings, then Settings > Network (show advanced). Scroll down to "List of IP addresses and networks that are allowed without auth"

"Comma separated list of IP addresses or IP/netmask entries for networks that are allowed to access Plex Media Server without logging in. When the server is signed out and this value is set, only localhost and addresses on this list will be allowed."

Put your local subnet and netmask into that (e.g. "192.168.1.1/255.255.255.0") and you should be all good

FYI, I also have "Secure Connections" set to "Preferred", but I don't know if that makes a difference for this or not

m4tthumphrey•4mo ago

NO WAY!! I will check this out later! Thanks!

wiether•5mo ago

PSA: If you are the owner of your Plex server and follow the _Sign out connected devices after password change- as they suggest, your server claim will also be expired.

So you'll have to get a new claim from https://www.plex.tv/claim and set it on your server; through the PLEX_CLAIM env var if your setup involves Docker.

They talk vaguely about it under _Common Issues_ but it wasn't on the original email, so I lost 15 minutes of my day because of this...

cprecioso•5mo ago

Yep, this was a huge hassle for me, I didn't realize it would happen!

Another option is to do `ssh -L 32400:localhost:32400 <your-plex-address>` and connect to http://localhost:32400/web, it will let you claim the server as it detects the connection being local.

mixedCase•5mo ago

Thanks for the one-liner, solved it within 30 seconds!

joecool1029•5mo ago

Maybe related to last month's serious vuln: https://app.opencve.io/cve/CVE-2025-34158

tucnak•5mo ago

On a related note; if you're still considering whether you should put passwords, or rather, hashes thereof—in your application database of choice—please, decide against doing so at all costs! Instead, you should probably use a dedicated secret management deployment: think Hashicorp Vault[1], OpenBao[2], or Keto[3] if you'd like to go beyond with ReBAC (Relationship-based access control) of Google's Zanzibar[4] fame. The benefits of a HA deployment like this far outweigh the upstart integration costs as you get to use a single, shared frame of reference to reason about your internal and external resources alike. Customer passwords, passkeys, certificates, internal CA, ACME, at-rest, in-transit, what have you, is controlled from a single point of consumption with one policy space to rule them all. It helps to use dedicated HSM capability, too. In cloud environments, AWS Nitro enclaves exist now; you could put something like Vault inside one[5].

Vault is more or less Old Testament, though, so if you're serious about zero trust, Zanzibar paper is a must-read!

Relationships lend nicely to AI agent stuff, where RBAC is putting you at a disadvantage. It's hard to express both direct and indirect access patterns in RBAC. For example, whenever agents would act on your, or your user's behalf within a clearly-defined scope (sic!) This is where traditional RBAC breaks down, whilst ReBAC really shines for expressing relationships between user/agent/system identities, thus greatly simplifying checking, scoping, audit.

[1]: https://developer.hashicorp.com/vault

[2]: https://openbao.org/

[3]: https://www.ory.sh/keto

[4]: https://research.google/pubs/zanzibar-googles-consistent-glo...

[5]: https://edgebit.io/enclaver/docs/0.x/guide-vault/

8cvor6j844qw_d6•5mo ago

Anyone remember a few years back there was a major Lastpass data breach?

I roughly recall Plex is somewhat involved in the compromise. One of the Lastpass employees compromised via Plex that leads to Lastpass data breach if I'm not mistaken.

Show HN: A unique twist on Tetris and block puzzle

The logs I never read

How to use AI with expressive writing without generating AI slop

Show HN: LinkScope – Real-Time UART Analyzer Using ESP32-S3 and PC GUI

Cppsp v1.4.5–custom pattern-driven, nested, namespace-scoped templates

The next frontier in weight-loss drugs: one-time gene therapy

At Age 25, Wikipedia Refuses to Evolve

Show HN: ReviewReact – AI review responses inside Google Maps ($19/mo)

Why AlphaTensor Failed at 3x3 Matrix Multiplication: The Anchor Barrier

Ask HN: How much of your token use is fixing the bugs Claude Code causes?

Show HN: Agents – Sync MCP Configs Across Claude, Cursor, Codex Automatically

Hello

FSD helped save my father's life during a heart attack

Show HN: Writtte – Draft and publish articles without reformatting, anywhere

Portuguese icon (FROM A CAN) makes a simple meal (Canned Fish Files) [video]

Brookhaven Lab's RHIC Concludes 25-Year Run with Final Collisions

Transcribe your aunts post cards with Gemini 3 Pro

.72% Variance Lance

ReKindle – web-based operating system designed specifically for E-ink devices

Encrypt It

NextMatch – 5-minute video speed dating to reduce ghosting

Personalizing esketamine treatment in TRD and TRBD

SpaceKit.xyz – a browser‑native VM for decentralized compute

NotebookLM: The AI that only learns from you

Show HN: An open-source starter kit for developing with Postgres and ClickHouse

Game Boy Advance d-pad capacitor measurements

South Korean crypto firm accidentally sends $44B in bitcoins to users

Apache Poison Fountain

Web.whatsapp.com appears to be having issues syncing and sending messages

Google in Your Terminal