Cyber Incident Victim: Plex
Date:
Aug 2022
Location:
United States of America
Summary
Plex disclosed a data breach following unauthorized access to a compromised database, exposing emails, usernames, and encrypted passwords stored in accordance with security best practices. The company mandated password resets and advised users to log out all connected devices, though some encountered technical difficulties during the process due to server errors and unexpected interface issues. Financial data remained unaffected as payment details were not stored on the platform, while the breach method was addressed and additional security reviews initiated to prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 22, 2022, Plex Inc., a streaming media service and client-server platform, detected suspicious activity within one of its internal databases, prompting an immediate investigation. The inquiry confirmed unauthorized access by a third party to a limited subset of data, including user emails, usernames, and encrypted passwords. While the compromised passwords were hashed and secured following industry-standard practices, Plex mandated a global password reset for all user accounts as a precautionary measure. The company assured users that financial data, including credit card and payment information, remained unaffected as it was not stored on Plex servers. Within 24 hours of discovery, Plex publicly disclosed the breach via a notification detailing the incident’s scope and remediation steps, emphasizing that the actual impact was believed to be limited. Technical specifics regarding the attackers’ entry method were not disclosed, though Plex stated it had already addressed the vulnerability and initiated additional security reviews to harden its systems against future intrusions.
The password reset directive caused operational disruptions, with users reporting difficulties such as internal server errors, “Not authorized” messages, and inability to access personal media servers. Some affected individuals resolved issues by re-logging and reclaiming server access, while others encountered persistent failures. High traffic volume from simultaneous reset attempts potentially overwhelmed Plex’s infrastructure, exacerbating these problems. The password reset interface’s unconventional design—requesting a new password before verifying the existing one—further contributed to user confusion and failed attempts. Despite these challenges, Plex maintained its reset mandate and advised enabling two-factor authentication for enhanced account security. The company directed users to a support article with step-by-step password reset instructions, including an option to forcibly log out all connected devices after changing credentials. No evidence suggested exfiltration or misuse of the encrypted passwords beyond the initial database access.