Overview
- Plex says it contained the intrusion and closed the vulnerability, though some customer records were taken.
- Exposed data covered emails, usernames and hashed passwords along with authentication data, and the company says it does not store credit card information.
- The company urges immediate password resets, a global sign-out of devices, re-claiming of self-hosted servers, plus activation of two-factor authentication.
- Some NAS and container users report being locked out of their media servers after resets, with support forums outlining fixes.
- Stolen contact details raise the likelihood of targeted phishing, and Plex reiterates it will not request passwords or payment data by email; the service counts over 25 million users.