Hacker News new | past | comments | ask | show | jobs | submit login
Plex: Important notice of a potential data breach
231 points by Flollop on Aug 24, 2022 | hide | past | favorite | 189 comments
Dear Plex User,

We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.

What happened

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

What we're doing

We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.

What you can do

Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password [here](https://support.plex.tv/articles/account-requires-password-reset/?utm_source=Plex&utm_medium=email&utm_content=reset_password&utm_campaign=sql_db_password_reset).

We'd also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling [two-factor authentication](https://support.plex.tv/articles/two-factor-authentication/?utm_source=Plex&utm_medium=email&utm_content=reset_password&utm_campaign=sql_db_password_reset) on your Plex account if you haven't already done so.

Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses.

For step-by-step instructions on how to reset your password, visit: https://support.plex.tv/articles/account-requires-password-reset Thank you,

The Plex Security Team




If true, then this will probably reignite discussions around Plex requiring that you authenticate with their servers when using the service to view content that you're hosting on your own hardware.

If anyone is curious, then alternatives like Jellyfin exist. It's a bit different and may not have all the features you need, but it works quite well in my experience.


Plex doesn't require account linking IIRC, it's heavily suggested but you can just access Plex locally without an account.[1]

But otherwise I've switched to Infuse[2] since then, it indexes sources reliably on its own (no manual editing though) and saves the entire need for a server if you use it with some cloud storage. Basically replaced my Plex server, with the added bonus of out-of-home streaming without needing high upload. The major disadvantage is that it's Apple-only.

1: https://support.plex.tv/articles/207538527-do-i-need-a-plex-... 2: https://firecore.com/infuse


This is not correct. I've tried the LAN no-login settings and it does not work for many devices (Roku/smart tv/phones). They also fail if you're not on the same subnet as Plex.

For this infuriating reason, moving off of Plex is on my to-do list.


yup--the weekend my internet went out was a real eye-opener and a number of things in my house got the axe including plex. i use kodi now and while its UX is nowhere near as good as plex, at least it works with a LAN-only connection


Oh definitely, once you connect it to an account it nearly refuses to work locally. I tried to set up a cloud-based Plex instance once and I connected it too early, breaking it because UPNP/port forwarding didn't work (yet) and local access was auto-disabled. Even enabled it only half-worked.


Interesting - I don’t have any issues accessing my server without internet, the default for me seems to be run local and then via internet.


I’m currently not logging in while using plex. Just providing that datapoint

edit:

You can also do this: https://support.plex.tv/articles/200890058-authentication-fo...


It is very client device dependent. And I found that when my internet went out, most devices would not work. But after several hours and some restarts it finally started working on some devices. I think this was because of some dns caching issues.


Are there alternatives with smart tv apps?


Jellyfin has an official app for Roku but I am not sure about other platforms like webOS.


It appears it does exist: https://github.com/jellyfin/jellyfin-webos


No app for webOS (although emby exists). You can, of course, use the Web player over your local network.


Just released on Official store. https://jellyfin.org/posts/webos-july2022/


Wow, they literally released it a few days after I checked for it :D


But full functionality on Roku is really lacking. They really have not put too much into the Roku client and made the Amazon client way better.


Emby is close, it missed some video features last I checked but it may be good enough for you.


I recently tried this on my setup, two Roku clients and a plex server. Despite my best efforts I could not get subtitles to work unless I had an account signed in with the preferred subtitle options configured for the account.

Being hard of hearing, subtitles are a big deal. I wonder if this is an ADA violation?


It'll probably get answered with "Oops, this is an app bug and it's best if you log in anyway!"

What if you change the global accessibility settings to prefer subtitles? (Or just set SDH/CC somewhere in system settings) I know on Google/Android TV and Apple TV it default-enables subtitles in some apps.


With infuse plus cloud storage any transcoding happens locally though which is a problem with weaker devices


That's true, but I hate transcoding anyway so I just get HEVC when possible and play natively on Apple TV and co. (not casting).


Since you have an AppleTV, what is the advantage to you of using Plex instead of just an iTunes instance with Home Sharing turned on? Do you have non-Apple devices you're trying to stream to, or something else?

I tried Plex years ago, and it wasn't to my liking because it was philosophically like Windows (Load the filename up with show information and constantly ping the internet for matches) instead of macOS (Metadata where it belongs — with the file).

I'm considering adding a Sony phone to my household, so now that Plex is in the news, this reminded me to check it out again.


Well are you pirating stuff? I've been using Plex for years now and so its mostly just what I know but when I first started using it the main things it did were a) handle codec issues (transcoding on the fly when needed) b) pulling metadata and images for movies and shows based on title and year in the file name. C) allow remote users (friends, family, etc) access to your library via the app, which works out to being very similar to a regular streaming service from their perspective. Basically nothing else did that and so it had a big leg up over XBMC and other apps folks used back then.

If you're purchasing everything through iTunes (do people still purchase stuff through whatever is "iTunes" now? I guess I don't know that either) I assume its handling transcoding/different device playback and delivering all the metadata for you.

Also once Plex pulls metadata down you're right that it doesn't store it with the file but AFAIK its not constantly hitting the net to pull that info down - it keeps a local cache.

I will say at this point - I wouldn't bother switching to Plex and look for an alternative like Infuse. The company is clearly under pressure to monetize beyond the Plexpass subscription you can buy. They've been steadily adding crap no one wants and automatically jamming it into the home screen of the app where you then have to go turn it off. Its just a matter of time before they cross a line somewhere and people jump ship. When that happens I imagine some of the open source alternatives (Jellyfin) will see a huge influx of development. I haven't switched just because I don't want to be hassled with figuring out a new system.


Not pirating or buying from iTunes. I rip my own media — CDs, DVDs, blu-rays, and records — which means I don't have to worry about a million distant codecs. From your description, it sounds like that's the only benefit of using something like Plex.


The Apple TV was the last purchase a few months ago, and my main PC is Windows. I used iTunes as a media library years ago but Home Sharing never worked well for me, it regularly just didn't work (Bonjour for Windows' fault) or it lagged.

Ironically I like Plex & Infuse for the reason you hate them, I just give them files whose metadata is just their filename and they can match them to what they really are. No need to keep all the data in media container tags, and a thumbnail/poster that will be pixelated in a few years because something will scale it wrong.

Sony is a valid option given their love for DLNA but I just never really liked the tech. Hell, I have statically-reserved IPs & DNS-registered names for everything in my home.

EDIT: Oh, I forgot -- the main reason I moved off Plex (and would hate iTunes Home Sharing) is I don't leave my PC on. I switch it off daily and don't like to treat it like a server, and to keep using Plex would require setting up a NAS or something (I had my collection on a local SSD for a while).


For me, the primary issue is that the Apple TV isn't good enough to be the most-commonly-used device driving the display. FireTV (4K version) wins the battle for the living room display (and it's not even close, with TiVo being 2nd and Apple TV a pretty distant 3rd).

To some extent, it's self-reinforcing. Once the FireTV gets a lead, all it has to do to maintain/extend that lead is reasonably support playback of whatever new format/source and Plex works great on it. If FireTV supported TV as well as TiVo does, it might end up with 100% of the living room display share.

(I also have Plex sharing to devices outside the house, but that's a <1% use case, mostly when it's us traveling somewhere and the kids wanting to watch something that's on Plex.)


Fair, I used Android TV (picked a TV with a decent chipset) before, and it played what I wanted well. The reason I got an Apple TV was because I loved Infuse on iOS, wanted some (easier) AirPods integration and found out all the apps I use are dramatically better on tvOS. Plus Android TV was starting to really annoy me with bugs and slowdowns.

I'm not in the US or mainland Europe so Fire and TiVo devices aren't really available or working well here, half their apps would just be blank.


People on HN always complain about this. But the reality is that the one time payment you (maybe) gave for Plex is not enough to make a viable company. So they have to offer complementary products and for that you need an online account.

Normal people also want to have features like remote streaming, subtitles fetching, familly sharing, etc which are hard to do without centralized accounts. Not even mentionning securing your paid features which you have to do to survive. And that customer doesn't care about the login as long as it is up.

I don't anything plex could do to please this particular demand would ever be enough so for me they do well to ignore it since removing that would effectively kill their business.


I run a lot of self-hosted software services, many of which have their own internal account system and auth. None of the features you mentioned require 3rd party cloud based auth.

I did pay for Plex prior to the cloud auth change, so for me it's a bait and switch, but my concerns are much more about privacy.

One day Plex will be bought by a large media company, and my (and my kids') viewing data and library catalogue data will be owned by MGM, Disney, Fox, etc...


Perhaps the most important thing about Jellyfin is that it's open source. I really wish the project received a little bit more love.


I also want to bring into light that Jellyfin is not very secure either [1], its sadly not in a great place to replace Plex still.

1: https://github.com/jellyfin/jellyfin/issues/5415


To be fair to the Jellyfin team, it seems they inherited a lot of tech debt from Emby which they've spent the last 2 years chipping away at.

It might not be in a great place now, but I'm not sure that's necessarily a reflection of the product


Most of these issues require a malicious user, right? I think none of them really are a problem for a friends-and-family instance (as long as they don't get their creds stolen obv). For a single-user usage, none of these really are issues, are they?


As long as you're not opening JF up to the internet none of these are a real issue, so you're fine with a single person/house/network with trusted users.


The middle of the list had a media disclosure without any auth via the image API.

That would mean running a publicly accessible instance would be ill advised if you can about the privacy of what you host. Plex on the other hand somewhat encourages publicly accessible instances, so you can listen/watch while not at home.

(The caveat being, certain plugins disclose media to Plex but arguably that's a first or second party not some rando on the internet scraping stuff)


Driveby scans happen all the time. Mass scan take 15 minutes to scan the entire internet, for instance.


I've been running it for the past year and besides the occasional odd bug with media discovery, it's run great for me and my family for all our movies and TV a shows.


Yes, it's shocking to me how many people are (apparently) willing to trust a closed source / SaaS product like Plex for this kind of thing.

Jellyfin may not be perfect but surely it's good enough for most use cases.


I like Jellyfin, but I need the Samsung client to be finished first. At least it looks like it has been started: https://github.com/jellyfin/jellyfin-tizen


The build steps were a nightmare. That's mostly the fault of Samsung, but it was still very off-putting. Unless I was doing something wrong. It took me a couple full nights after work to finally get it done and on the TV, trying to set up Samsung's developer tools on multiple different machines. I dread having to do it again.


Does it work OK? Was it worth the effort?


Yeah it's been working perfectly for me ever since I set it up last fall (maybe it was winter, can't remember). At least half a year. I'd say it's worth the effort, but the process still sucks.

One of the things I remember making it real difficult was that the UI of Samsung's dev tools app assumes you have the default light theme in GTK (or whatever widget toolkit they're using), and since I had a different dark theme, I couldn't see any of the icons.

So then I switched to one of my devices that were running Ubuntu 20.04 with Gnome, where the app would not launch due to something about "pixbuf". Side note - I'd had that particular error so many times in Ubuntu with various apps that it's the sole reason I eventually learned Arch (and tiling window managers), and haven't looked back since.

I finally managed to get it to launch and work correctly on Xubuntu running on my girlfriend's very, very old laptop that takes about 8 minutes to boot to full speed. So save yourself the headache, and run the Samsung dev tools app on an unmolested Linux installation, with no special theming, that is not vanilla Ubuntu.


I would if I had one. I'm windows-only currently. I guess I could spin up a VM but then I have networking issues...

Thanks for the feedback.


Oh, in that case, I'm sure Samsung has it available for Windows, and it will probably work even better than the Linux version does (considering there aren't dozens of Windows distributions, and dozens of window managers, and a half-dozen popular GUI toolkits to account for).


Has an app for the fire stick too which works really well


They have done a great job, but ultimately I believe a tool like Go or Rust would work much better and the XML metadata format while standard is not very good. Would be nice to see YAML or even JSON. Kodi is my go to for the most part, but I will have to say Jellyfin is definitely more polished. It downloaded the transparent logo for the movie I was watching and displayed it so nicely when I started a movie. I remember Plex offering music themes when you were browsing a collection.. I wonder if Jellyfin does something similar already.


Kodi's pretty good too, and doesn't insist on showing unrelated online content you don't care about like Plex seems to.


Kodis always been the better option if you're remotely technical.


I ran Kodi for years, but "always"?

* Kodi only works on my local network. It requires exposing my file shares on whatever VLAN my Kodi devices are on.

* Kodi is a pain to configure. To point it at the aforementioned file shares, I need to copy an XML configuration file, and getting this onto every device is a chicken and egg problem.

* Kodi requires each client to scan and sync the entire library at its CPU and bandwidth limits. My Plex server automatically scans and indexes my media.

* Plex allows me to access my content at the office, while travelling, and to share with friends

* Kodi doesn't transcode, requiring all of my client devices to have enough power and bandwidth to do so locally. Plex makes it much simpler to (for instance) stream a 4k video to a low power device

I know enough to have ran Kodi for years and intentionally switched to Plex full time


I don't think you fall into the remotely technical category group.

Kodi can do all those things but you wouldn't as it has much better options to achieve the same result.


> Plex allows me to access my content at the office, while travelling, and to share with friends

Bold of you to trust an opaque corporation with access to your network and the data they can log through that. I wouldn't even trust Synology with their account quick access thing, as seamless as they claim it to be.

I don't really see remote access being secure without it being a self hosted VPN.


My employer can see the data patterns, and I'm struggling to understand why I should care. My media library is entirely legit (I have a crate of 100-disc spindles in the closet) and if they really want to know what movies and music I have, so what? They could see anything I do on Spotify or YouTube as easily, and seeing me stream a bunch of incoming data will throw off far fewer red flags than plugging in an external drive with media files.

If they asked, I'd show them exactly what's up. They haven't, so they don't seem to mind.

It's not full access to my network, it's access to a carefully curated set of media files transcoded through a service. There are no tax returns, no resumes, no porn. Just FLAC, MP3, and MKV.


Xbox Media Center for LIFE


I just use Universal Media Server now and the built in media-browser on my Samsung TV. It's a bit janky but it works.

I've tried using Plex before and while the UI is nice, they don't seem to be able to write a video transcoder that doesn't have massive stuttering in it.


It's using ffmpeg. It's limited by the CPU/GPU on the server. You can adjust the options to have it encode faster or higher quality.


Yeah, I'm it's solvable if dug under the covers and spent hours tweaking and running between the PC in the study and the TV in the living room, but Universal Media Server just works.


> If anyone is curious, then alternatives like Jellyfin exist. It's a bit different and may not have all the features you need, but it works quite well in my experience.

Jellyfin's DVR service is horrible compared to Plex. Practically unusable. And DVR is the reason I pay for Plex.


Check out Channels DVR


I like that they're up front about this. Solved the problem in a couple of minutes.

I use a password manager with a very long randomly generated password for everything, so a hashed password leaking is essentially meaningless to me. Notifying me immediately so that I can change it ASAP is what matters.

The burner e-mail I use for stuff like this is listed in 25 other data breeches, too. I don't really care. Plex is amazing software.

I don't really understand the freak outs here.


You're being a bit generous with credit to them. We have no idea how long the malicious actors had access (not do they it seems), nor what depth of access they had. I turned off my server until they have had a chance to verify that no malicious software updates have been pushed.

With regard to complex passwords, Plex is one of those accounts that using a random password is quite cumbersome since my kids and I are often connecting new devices that don't access the password manager. We also use it on smart TVs while on vacation. We use a unique, but simple to remember password.

The problem with Plex is that they force you to use cloud auth even if you self-host despite that not being necessary at all for those many of us that self-host. I don't have any other server I host that requires this. The local LAN login they claim works without auth doesn't work for most devices nor across subnets.

It means I cant access Plex when the isp is down and it means Plex sees my library and my kids' activity (which I don't like for privacy reasons), despite having paid for lifetime Plex before this was a requirement.

Think about the Plex as a business that may very likely get acquired one day by a large media corporation. What happens to my data then? Will they ask me to verify my ownership of content I host(ed)? They are already pushing commercial "free"content to my kids, which is exactly what I was trying to get away from.


I've switched to using jellyfin and i've never looked back.


kodi.tv doesn't require any account either. The 2TB SSD I have connected to the RPI hosting it works as a good enough media server for my whole network. I love the unique channels and the ability to stream Newpipe from phone to it. I might try Jellyfin to learn its features.


Not sure how you've setup Kodi however I switched from Kodi to Jellyfin about a year ago.

I purchased a low powered computer with a Celeron N5100 (sorry I might have the model wrong) but I was looking for something that could support and transcode modern video formats in hardware, and connected my external drives too. From there I was able to install Jellyfin, then the Jellyfin clients on all my devices (TV, Phone, iPad etc).

It seems to work really well, espeicaly when exposing the server to the internet using nginx, a SSL certificate, DNS and a dynamic DNS provided by my Asus router. Unsure of the security of this or how to harden it -> VPN might be better for more security conscious people.

You mention you like the unique channels and the Newpipe feature, I don't think any of this is available in Jellyfin, it doesn't seem to be very customisable at all with the exception of a limited list of plugins.


> often connecting new devices that don't access the password manager

Isn't that what plex.tv/link is for?


There is no need for a "complex password" just use a passphrase and don't reuse it.


it's still annoying to type on TV OSD keyboard by cursor


> I don't really understand the freak outs here.

Because most people reuse the same email address and password, and are potentially way more exposed than you are.


I find it hard to believe that most people on HN reuse the same e-mail and password. That practice has always been known to be stupid. There's a whole thing about it in the movie Hackers... from 1995.

In 2022, your data isn't safe. It's widely known your data isn't safe. You need to take steps to make it matter less when its mishandled.

Don't get me wrong, the Plex infra team should feel bad about themselves, but if this breach in anyway compromises anything else in your life other than your media center -- and if your hashed password gets cracked -- then that's on you in my opinion.


What's the best way to use unique emails. I get that Apple has the 'Hide my Email' feature but it's not clear to me how to best use it, especially outside of Apple ie. Where do I find a list of emails that it's created for me and what they were used for.

Temporary email services don't seem helpful either if you need to go through password reset processes or receive emails after the address has been removed.

Do people just use use custom domains with catch all addresses? Is this really the best way?


Disclosure: I work at 1Password.

I used to use a catchall with my domain, but now I use our masked email feature. You need a 1Password account, and for fastmail to be your host.

https://1password.com/fastmail/

Depending on your settings, you can use your own domain (which is portable, but less anonymous) or you can generate *@fastmail.com addresses.


There are email Alias services such as anonaddy.com or SimpleLogin.io doing the same thing hide my email is doing.


To answer your specific question about finding the email addresses you have created via HideMyEmail:

- open Settings - tap your username/name at the top of Settings - tap iCloud - tap Hide My Email - you can look for any emails or matches you want


Plus, even if my password isn't exposed, I don't appreciate when my email address is exposed, or I have a username able to be linked to an email address.

Now, should I have been smarter and used a burner email address and username unique to Plex? Definitely. But I signed up with them like 10 years ago.


Yeah the OP reads more like they understands exactly what the freak out is about.


> data breeches

First I thought of the pants that the crew of the Enterprise wear and second was the diaper thing that the monkey you use to save in Mega Man Legends wears[0].

(As an aside, an image search for "data star trek" will have you believing that he does not wear pants on that show.)

[0] https://duckduckgo.com/?t=ffab&q=data+mega+man+legends&atb=v...


This disclosure is no where to be found on their website or blog, and it provides no timeline, no details about the attack, and no details about what data was accessible beyond "a limited subset of data that includes emails, usernames, and encrypted passwords". Very very frustrating.

As of Aug 23 11:24PM PST, Password change page is sort of working, at times displaying error message "Internal Server Error. Something went wrong on our end". I was able to get my request through. Shortly after, a server instance started showing unclaimed status and reassociating it resulted in "Plex is down for maintenance \ Don't worry, it will be back soon \ status.plex.tv".


It appears the password change works fine if you deselect the "Sign out connected devices" box. [1]

[1] https://twitter.com/troyhunt/status/1562329358282285057


Mine worked fine with that checkbox on. However, I cannot get my home server to appear again, even after getting a new claim and restarting it.


This is exactly what I had happen as well.

I'm going to give it some time. I also even went through these steps (https://support.plex.tv/articles/204281528-why-am-i-locked-o...) without success.


It didn't work for me after restarting with a new claim and when i checked the preferences it contained `PlexOnlineToken=""`.

After removing the attribute entirely it was able to successfully reclaim the server.


So a coworker suggested I try accessing my Plex instance by internal IP, not internal hostname. And that... worked. When using hostname, the way I always had for everything else, it'd show that I didn't have access to the server.


I had the same "", but after restarting all the web interface says is Connecting. Then the server just doesn't show up in the list. <sigh> Might just need to blow up my whole config and reimport everything.


I got it claimed again after several tries. I suspect they are getting hammered by a lot of people doing the same thing (changing passwords)


And now the sender sending the "reset password" email is blacklisted by spamcop, I presume because they are sending so many emails from a server that normally doesn't much. They are not having a good day.

http://www.spamcop.net/w3m?action=checkblock&ip=192.254.122....


> Causes of listing

> System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Sounds like their spam trap is broken.


As someone who works in email delivery, spamcop is broken alot of the time...


I have a feeling that this breach is older than what they're letting on.

On July 27th, I received ~7 emails, about 10 minutes apart, warning me of a new device logging in my Plex account. It didn't correlate with any activity on my part, and the IPs were all over the place (for context I'm in France). Here is some of the IPs that were used :

  - 191.101.41.35 (US)
  - 185.199.103.40 (US)
  - 103.43.200.58 (India)
  - 2001:16a2:def3:200:40cf:530f:ff72:1747 (Saudi Arabia)
Fortunately the password is only used on Plex, and I just generated a new one and signed out my devices, and that was it.


In general, corporations will use some weasel words when reporting breaches.

They will say "we have evidence that a subset of x/y/z data was accessed". You might think that means they have evidence that the other data wasn't accessed, but what it means is that they only currently have explicit indicators of certain data being accessed (such as a exported zip file that bad actors forgot to delete, or the log of one sql query, etc). It really means very little, and companies (internally) usually assume everything on the breached server was accessed, even if externally they only report on obvious breadcrumbs.

They also say "We detected access on xyz date and immediately worked to close the vulnerability". You might think this means that they know that this was they have evidence that this was the first access, but it only means this was the first obvious alert they noticed and responded to. There might be earlier accesses (even some they already know about).

They are intentionally vague to limit their legal liability. This is why laws must be passed to compel full disclosure.


Plex is implying the passwords were salted and hashed:

> all account passwords that could have been accessed were hashed and secured in accordance with best practices


I personally wish companies would encrypt email addresses in their database, this would at least help against SQL injection attacks and some others (e.g. attacker has only DB system access and not app server access), so it's more difficult for attackers to aggregate data on me. To me it feels very casual waving away the leak of email addresses and just give the usual "passwords were encrypted". But YMMV.


The difference between email and password is you can validate a password with a hash, but you can’t send an email to a hashed address. Their db may be encrypted at rest, but a hacker could still compromise a system that has the key in memory.


Encrypt the email in column, add hashed email in separated column. Email Sending would then be covered by a separated and "airgapped" system that holds the decryption key, if you need to send mail, you send the encrypted email address plus what you want to send there.

Now an attacker cannot get a hold of email addresses easily.


This is a great idea. You could use public key cryptography too, so that the system adding emails to the db doesn't need the private key.

3rd party mail sending services could support this by generating a keypair on their systems, and only giving you the public half. When you make an API request to send an email, you provide only the encrypted version of the address.

Edit: The hashing is an issue. It's too easy to build a wordlist of possible addresses, to crack the hash. I think this can only work if you drop the hash column, and instead require users to log in using a username.


The hashing is an issue but you need to identify the user somehow when you do things like password resets.

The alternative is to handle everything by a username and password resets also use the username (which would be fine, worst case you get spammed by PW reset mails).

Though of course you can also combat this by making the hash particularly expensive and salt it. Simply take a SHA3-512 of the email address a few thousand times, take the first 12 bits and use that to identify a set of 4096 records. Now the full email is simply an application of Blake2sp, which you calculate in parallel for all 4000 records.

Adjust the 12-bit barrier so that it represents a decent sized chunk of users, lower would mean less load on the login service, higher would mean better anonymity. Instead of SHA3-512 you could also use a bloom filter to find out if a set of records contains the email or not, with the added bonus of being probabilistic.

You could also ditch Blake2sp for a simple round of salted SHA3-512. The fact that you salted it makes dictionary search insanely annoying already.


That's a simple and brilliant idea. I'm running with it.


How would you tell the airgapped system what to send?


I used quotation marks on purpose, it is of course networked, but would be using different credentials to other systems and have a ingest-only API endpoint to issue mails with.


> a hacker could still compromise a system that has the key in memory.

Security is about layers. Simply because a hacker “could” do something, does not mean it’s a bad idea. Getting the encryption key when it’s not stored in the database requires the hacker to now have access not to just the database but to another system as well.


This is an excellent point, but there's nuance to it.

This seems like an acceptable solution for email and a lot of other PII. However, if you were to propose the same thing for passwords, with the same argument, I'd be dead against it -- even beyond the total lack of need for the system to ever have the actual password. I'm not quite sure how to explain this, though.


There’s no reason a company needs to know your password. But they do need to know a way to contact you.


Invariably some developer would just store the key in a column next to the email address so they could process any transaction directly in the query.

But the hackers would have to know what algorithm was used :) That's a layer, right?


> some developer would just store the key in a column next to the email address

I think that depends on where you work. Process. Code reviews before allowing merge/pull requests can help.


In the healthcare industry in USA, Personal Identification Information (PII)/Personal Health Information (PHI) needs to be encrypted at rest and in transit and is mandated by law. So, they are required to encrypt PII/PHI data fields.

Some of those practices may be generally applied for non-healthcare settings as well.


To get nitpicky... (usual disclaimer, IANAL but I worked in health IT including heavy involvement in HIPAA topics earlier in my career) I don't think there's a requirement under HIPAA or HITECH to use encryption.

The relevant parts of HIPAA are the duty to not disclose PHI to unauthorized recipients and breach notification requirements if you do incorrectly disclose PHI (the HIPAA breach notification rule).

The magic of encryption is that HIPAA provides safe harbor if the data stolen/lost/intercepted was encrypted to certain standards. So if you lose an encrypted hard drive full of PHI, or someone breaks into your servers and steals encrypted data but not the decryption capability, then it's not considered a breach under HIPAA and you do not need to notify anyone.

Tons of PHI isn't stored encrypted at rest. Physical theft of the hard drive from the practice's back-end EHR database server hasn't generally been high priority on the HIPAA breach potential risk assessment list. But nearly all data in transit, on employee laptops, etc. will be encrypted, because that's where you want the safety net of the safe harbor provision.


You are right. The law mandates reasonable safeguards and one of them is encryption at rest/motion when deemed necessary by the covered entity (which is quite common in Healthcare).

From the HHS site: https://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-...

> Is the use of encryption mandatory in the Security Rule?

> Answer:

> No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.


Does at-rest mean: encrypted on storage so noone can physically steal a drive or encrypted in the database so noone can get the information with SQL without the key (e.g. Postgres column encryption)?


Conceptually, yes. You can encrypt at the database/filesystem level (where the OS/DB engine manages the encryption keys and enforces access control), at a table level/column level (where the db engine enforces access control) or at the application level (where the application manages the encryption keys and they are separate from the database engine).

They serve different purposes. For eg: When a disk drive is faulty and thrown away, you may not want data to be recoverable from it. So, the filesystem level encryption helps there. A db/table/column level encryption helps when there are different applications (eg: transaction processing and analytics) accessing a shared database. Reporting queries may not need access to the sensitive fields whereas certain transaction processes may need it. In this case, db/table/column level encryption helps. When you want separation of concerns, you can add application level encryption (on top of the other two). Example: Your data is stored on the cloud and you don't want the cloud service provider to know the data or if they replace a disk drive as part of normal servicing, you don't want your data to leak.

This depends on the threat model.


Apple did a good job with this, I think it’s called Apple Hide My Email.

https://support.apple.com/guide/icloud/what-you-can-do-with-...


It seems to me that encrypting emails is either untenable or insufficient depending on how you do it. You could do a one-way operation like is used on passwords, but then you can't access the user's email address to send them emails. You could instead do a two-way encryption but that likely means using a hardcoded key to decrypt, and that key can't be considered secure if attackers have access to the system. There may be other more effective options but I'm no security expert and I haven't given much thought to other solutions.


You're mostly right.

Hardcoding a key would be a bad idea. You would need some way to rotate keys. Maybe also encrypt the actual data encryption keys under another key encrypting key.

But this only defends against attacks which can't get that key (e.g. a SQL injection attack that just dumps table contents).

Having said that, you only need to decrypt if you want to send an email, for logging in you could just store a one way salted hash.

More importantly, this is a lot of effort to protect data that isn't usually regarded as that sensitive (unlike the passwords). If I had the security budget to do that, I'd almost certainly spend it on something else.


If that 2-way encryption key is stored separately to the database (e.g. only the web server has it, not the database server), it certainly helps reduce the risk that the emails are compromised.


Thanks for sharing this. I got the email, but found it here first. They let us know pretty fast, and gave clear instructions on how to secure our accounts moving forward. That can't be said for all companies that we trust with our info.

It sounds like payment data was stored in a separate database that had a different set of credentials (for this I am grateful).

Thanks to The Plex Security Team for providing details quickly.


No, not all.

> Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.


I'm a long time Plex user, and I have not received this email. Not sure if I should be worried or if the breach has just affected a subset of users. I use random unique passwords for everything anyway, as long as no credit card details were taken it shouldn't be a big deal hopefully. I was able to log into the site now and no message was displayed at all.

Edit: Not sure why I would be getting down-voted for this. Security breaches are a big deal, but if the only result of this for the users is that we need to change our passwords that's a fairly good outcome, no? :-) The biggest hurdle ahead for Plex is to figure out exactly what these attackers did, if they were directly targeted and for how long they were in their network. A lot of the times a incident is discovered it's discovered a long time after the first breach (based on my own personal experience)


Likewise, I haven't got anything.


I haven't received anything either, and was able to log in without having to set a new password.


I have received the email. They are not forcing you to reset password on login, you need to go into your account and reset it normally.


Just got the email.


I got the email about an hour ago.

Understand that sending emails that are not SPAM, to potentially millions of people is NOT a trivial exercise.


I got mine roughly 3.5 hours ago, so after this post was made. Looks like they're trickling out.


I got my notification roughly 3 hours after the Hacker News post.


I received this email 1.5 hours ago.


I received email 5+ hours ago


Ugh, I feel like this is being a regular thing I need to look at with Plex...

Has anyone tried any alternatives that have a decent Apple TV client?

I have tried looking a couple times over the last couple years and that is always my blocking point.

Ideally not a third party one, I know Jellyfin has a third party option but it always seems to have issues on my library and needs to update its cache (or something) and my experience with it was not great. Kodi seems like it might have one, but it isn't available through the App Store.

Bonus if it can somehow import my watch history (but not required, that is a minor issue).

As much as I hate Plex and all of the unnecessary features they keep adding, they seem to be the only one with a decent client.


If you only have apple clients (iOS, ipadOS, tvOS and macOS) you can try infuse. Its only a client, so you need to store your files somewhere (icloud, gdrive, you NAS) but it can then play all kinds of files and sync progress between different instances of it self. If you dont want transcoding on the server and only uses apple devices for playback it IMHO works much much better than real plex.

It can also play at being a plex client to provide better playback options than the official plex app.


Maybe infuse is different if not pointed at jellyfin but that was the client that would have issues with my library. It would loose its cache or something, I don't remember now, all the time.


I have run infuse for a few years first against Plex and then files on GDrive. I have not encountered that problem.


There is a first party Apple TV Client, but its still in development. They do have a public test flight for it:

https://github.com/jellyfin/Swiftfin


I’ll second this - complicating things is all the third party apps I use with Plex (for music, audiobooks etc). I’d love to switch to jellyfin but they aren’t going to have an ecosystem like this any time soon


Infuse.


I noticed last week that my plex server was using a lot of CPU when I was not watching plex. Since I almost never use it, I just killed the server process thinking that it was running amok because of some bug.

It all became clear when I got this email last night. I was suspicious, but now I'm pretty certain that my account was exploited, and my local media was being streamed by a 3rd party.


My big fear isn't malicious library access, but that the bad actors pushed a malicious update to Plex itself and that my server is now running malicious code doing God knows what on my network.


Don't let "media manager" apps have direct read-write access to files - they tend to spew metadata all over files, and if there's a bug in the software it can corrupt your data. Doubly-so for an internet-facing dependency dumpsterfire like Plex. It's also worth having at-least a DMZ with ingress/egress filtering for any internet-facing services such as Plex - only allow them to connect to what they need.

A filesystem which supports snapshots and rollbacks is good to have underlying your media collection as well (ZFS, BTRFS, etc)


Excellent point. Control of plex servers would make a pretty good DOS cannon..


Ugh, checking that box signed out my server and I've yet to figure out how to sign the thing back in.

EDIT: Figured it out. Need to access the server from the same network (or tunnel to it). You won't see server settings from external network.


It's funny that everyone here is expecting airtight security practices, proper vulnerability disclosure and general trustworthiness from an app that's a tiny step above the likes of BitTorrent and PopcornTime.


With most BitTorrent clients you don't have a remote account on the creator's centralized system so there is nothing that can be compromised in this way. If software devlopers require or strongly encourage online integration then yes they should be held to higher standards.


That's like saying torrents are only used for piracy, TOR only for buying drugs, and crypto only for laundering money.


There are a distressing amount of people on this website who believe all three of those things.


What percentage of torrent use or Plex use is not for piracy?


I use torrents frequently for downloading Linux distros. Last weekend I downloaded Debian[0].

Plex has many legitimate use cases. More recently they've pushed into streaming by licensing free content[1], and adding a UI to show where to watch a given show given a set of streaming services that you subscribe to[2].

Aside from that they have their streaming Live TV/DVR[3] feature where you plug a TV tuner into your computer to stream your TV from anywhere, and record it to disk. I have this setup, and it can be useful when watching sports with friends because nobody I know has cable setup 24/7 -- they usually plug an antenna in when they want to watch a game.

The more common Plex features of managing a TV, movie, and music library have legitimate use cases of providing a way to stream media that you have purchased and copied to disk.

Lastly, just yesterday I uploaded all of the lecture videos of a course I'm taking to my Plex instance which allows me to stream them from anywhere or download them for offline viewing using a reliable app instead of the Canvas UI.

Out of honesty I'll admit that I do use Plex for piracy. I previously had subscriptions to Netflix and HBO, and I'll often purchase a subscription when there's a new show that I want to watch (e.g. the new Game of Thrones series). I'm not going to subscribe to 10 different streaming services to watch what I want (which is often just background noise while I work), which is what the industry is moving to.

[0]: https://www.debian.org/CD/torrent-cd/

[1]: https://watch.plex.tv/live-tv

[2]: https://www.plex.tv/blog/end-the-streaming-struggle-with-ple...

[3]: https://support.plex.tv/articles/225877347-live-tv-dvr/


Ouch, this sounds very similar to the breach that happened to Plex in 2015. [1]

1: https://news.ycombinator.com/item?id=9817160


Forgot my password doesn't work nor the settings screen password change. If you gonna ask all your users to reset passwords you might want to actually scale up to allow them to do that


This. And also if you know what "limited subset" of accounts were compromised, you might want to notify only the users affected, and reset the passwords for them.


> you might want to notify only the users affected

I believe they're doing that. I double-checked and got no email from them.


Thanks for posting that. I was about to get out of bed to change my password, but now I’ll let it wait until morning.


RoboForm Password Manager is being offered free (1/yr) due to plex breech! Here is the url with instructions: https://www.roboform.com/promo/plex


Funny. I got the e-mail about the data breach (which I was actually surprised to get, as I had a local-only version of Plex running on my Desktop computer a while ago), but I am not getting the "reset password" emails... not even in spam :).


Their password reset system is pretty bogged down right now, they DDOS'd themselves a bit sending the breach notice to their user base.


RoboForm Password Manager is being offered free (1/yr) due to plex breech! (expires 8/28) https://www.roboform.com/promo/plex


OT but have others found the Plex Mobile UI completely baffling when it comes to understanding how to download, sync and then delete content that has been synced to that device? I get lost trying to do so every time.


Yes and I've used Plex mobile app for years. Completely frustrating experience every time I need to use the download functionality.


Thank you for reminding me that I need to delete my account with you. Now if you could only keep your service up and running long enough for me to change my password so I can log in and remove my account.


I wonder if "we discovered suspicious activity on one of our databases" == SQL injection?

I've been through this exercise before with one of my businesses, and I disclosed what/where the injection was and what our mediation was for the problem.

I don't understand the outrage though from this community. I don't think there is a large web business today that hasn't been through an SQL injection compromise. Even the largest platforms in the world like Facebook, etc have had an issue like this crop up.


Is it safe to reset the password when there is so much instability with server errors and so on? Do we know that the door has been closed on the intrusion and the hack patched? Right now it feels like I'd be replacing a lost and known insecure password from ages ago for a service I no longer use with a secure one only to have it stolen again.

A delete account option would be nice in this case. I'd rather just have my data deleted even if it has already been compromised just to tie off this loose end.


…and now Plex.tv/link is down, so none of my media players can sign back in.

I hope that Plex learns from this and implements LAN-only logins (or LAN-only access) again.


I'm sure glad they spend enough time securing the application and not developing silly features that no one wants. /s


Yay. So I used the "Change Password" stuff and to sign out connected devices and now I seem to have lost access to my local server.

I'm guessing it's because of load on their stuff, but it's quite a pain in the butt when I usually use Plex to listen to (my local, legally ripped) music while working.


When you sign out connected devices it disconnects everything, including your server. You will need to sign your server back in.


That's the problem... I've signed into my server directly (local URL) and it's still not happening. I sign in successfully, my server is listed in the left pane, but when clicking it I'm informed I don't have access. I can't even get into its settings.


Weird. I'm on a Mac, so this might be different for whatever platform you're running it on. But I click the Plex server icon in the menu bar, "Open Plex" which just takes you to the admin screen. It was "configured" but not signed in. So, I clicked the user bubble in the upper right, then Sign In at the bottom. This took me to the usual sign in page, which errored the first time, but succeeded the second time.

Not sure if that helps you, but hopefully it's a temporary issue for you.


Okay, here's how friggin' ridiculous this is... I got this from a coworker...

I access Plex normally via an internal hostname. For the life of me I couldn't see any settings and sign-in would basically loop. Coworker tells me he's been fighting with it as well and it for worked once he used an IP instead of hostname. I do the same and bam, I can reclaim my server.

Sheesh.

(Note, I have Plex running on a Synology NAS, so no desktop icon.)


Geez...

How do you like running it on a NAS? I'm considering a Synology in the future to run mine off of. Right now it's all just an external drive on my Mac mini. It works okay but the Mac is now 8 years old so it's uh... showing it's age.


Tried to reset my password, whole site is offline right now, probably too many people resetting their passwords.


Everyone here had 2FA on their account, right?

Right??


Reminds me I need to delete my Plex account, moved to Emby years ago and it works perfectly.


> we want to ensure you have the right information and tools to keep your account secure

Which is of course, a bold-faced lie, otherwise they would never have forced users to open Plex accounts, or removed the ability to conduct authentication locally.


RoboForm Password Manager is being offered free (1/yr) due to plex breech! (expires 8/28)

https://www.roboform.com/promo/plex


Like clockwork. I just joined recently and of course they have a breach. I knew I should've stayed away when they required an account for you to view your own media. Does Jellyfin let you get past this security issue?


From a comment further up, Jellyfin has an open issue on GitHub with a list of various security problems (most if not all of which come from Emby when they forked off of it). At least they're open about it, and working on it. It seems like running it on the public net might be a bad idea for the time being. But running it internally should be just fine.

I personally run Jellyfin, and aside from security issues, I'm quite pleased with it.


Thanks for your response. If I set up Jellyfin just to run at home, without any need for connecting in from off-site, should I be okay security-wise? I went with Plex because my TV had built-in support for Plex, but now I think I'd like to delete my Plex account and switch to Jellyfin.


Sorry, haven't looked at HN in a while. As long as nothing from the Jellyfin server is touching the internet (no port forwarding or anything), you're probably just fine. If someone is able to hack your Jellyfin install, despite it being completely in your LAN, you've probably got bigger problems to worry about.

I suppose one way you could access it outside the network securely would be to set up a VPN on your home network, to connect to your Jellyfin server through. So there's options. But obviously it depends on how far you want to take it.


Do corporate PR teams force security teams to say encrypted instead of hashed?


I'm interested to know more around how a third-party was able to access the data with for others to learn and provide use-cases to increase security controls in areas where there may be deficiencies.


I received this email at 10:42pm PST.

At the time, I could not find the disclosure on their website.

I'm glad they disclosed shortly after discovery, but not publishing it on their site is an odd choice.


I just learned that in 2021, Plex was acquired by Rockwell Automation. Had no idea that had happened. That seems like an odd company for them to acquire.


That is a different Plex (Plex Systems)


Oof - you are correct. I think I should have slept a couple more hours last night.


How do we think this affects using Google Login on Plex? I don't have a password, only using the login with google functionality?


I wish there was a better alternative. I know Jellyfin is there, but I can't get behind the .NET framework it's written in.


I was already skeptical of running plex on an internet facing port, this doesn't exactly reassure me of their competence.


Just in the process of resetting my password and their website goes down with a nginx 500 error.


Got this about an hour ago as well.


question: why use Plex over Kodi?


With Plex and Jellyfin, you set up a central server that will serve clients on all of your devices. So if you watch half of s2e3 on your tablet, then switch over to the living room TV, it will continue where you left off.

They also have clients for all major platforms and for web browsers, and can be accessed from outside of your home. I'm currently in Portugal, watching TV shows off my home machine in Germany via my phone or my Amazon Fire TV or my laptop.

It's much like having your own self-hosted Netflix.


thanks for the detailed explanation


I'd say it comes down to how diverse your clients and your media library are. Plex can transcode your content on the server and then stream it to clients, which means the clients don't necessarily have to be powerful. Kodi is more of a file browser, it just opens the content from whatever storage and plays it directly.


Kodi is (can be) client for Plex, so those are orthogonal pieces of software.


You can run the client on an existing Roku STB instead of building a separate box.


Because preferences. I use Emby and Kodi and generally I prefer Emby's UI.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: