Plex has confirmed it recently suffered a security incident, marking the second major breach in as many years. In a detailed forum post noted by Engadget, the company said an unauthorized third party gained access to “a limited subset” of customer data, including email addresses, usernames, authentication tokens, and securely hashed passwords.

The never-ending battle for security

Regular password changes can’t hurt

The Plex Photos app open on a smartphone held by two people

Source: Plex

The company stressed that passwords were hashed according to industry best practices, which makes them unreadable in raw form. Still, Plex isn’t taking chances. “Out of an abundance of caution,” it’s asking every user to reset their password right away and, importantly, to sign out of all connected devices once that’s done.

If you log in with a password, you’ll find the reset tool at plex.tv/reset. When prompted, tick the checkbox to sign out all devices — this will force a re-login on your Plex Media Server as well. If you normally use Google or Apple for single sign-on, head instead to plex.tv/security and hit “Sign out of all devices.” For any troubleshooting login issues after the reset, Plex said users should consult its support page.

The good news: Plex doesn’t store credit card information on its servers, so payment data wasn’t exposed. The company said it’s already closed off the attack vector used in this breach and is conducting additional reviews to strengthen its systems.

For users, though, the playbook remains the same. If you’ve been around Android Police for a while, you might have seen our recommendations before:

  • Don’t reuse passwords: If your Plex password is the same one you use for Gmail, Facebook, or anything else, change those too. Credential stuffing is the real risk here.
  • Use a password manager: It’s the easiest way to keep unique, strong credentials without needing to memorize them.
  • Enable two-factor authentication: Plex supports it, and it makes stolen passwords far less useful on their own.

The latest incident echoes Plex’s 2022 breach, which exposed a similar set of data. While the company acted quickly to contain this new one, two breaches in such a short span isn’t a great look for a platform that millions rely on to manage their media libraries.