Skip to content
Thoughtful, detailed coverage of everything Apple for 34 years
and the TidBITS Content Network for Apple professionals

Plex User Passwords Compromised in Data Breach

Many Apple users rely on Plex to manage their personal media libraries. Unfortunately, TechCrunch reports that some of Plex’s user data—email addresses, usernames, and passwords—has been compromised, with the company admitting that the majority of its 30 million accounts were affected. Even though Plex says the passwords were hashed (cryptographically scrambled), the company is still warning users to change their passwords. If you missed or haven’t yet received the notice, here’s how to do that on the Plex website:

  1. Click the hamburger icon in the upper-right corner.
    Plex website hamburger icon
  2. Click Sign In and log in to your account.
  3. Click the hamburger icon again and then click Account Settings.
  4. Look under Security and click Edit to the right of Password.
    Plex password settings

If you haven’t already done so, you can also take the opportunity to turn on two-factor authentication. If only we had some technology that was better than passwords!

Read original article

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About Plex User Passwords Compromised in Data Breach

Notable Replies

  1. I opened my Plex account by signing in with Apple. The password shows as “not set” while my email is the typical random characters @

    Does using Sign In with Apple mean I don’t have to concern myself with this sort of data breach?

    I’d not, how would I go about updating my login?

  2. You should be fine. Using a ‘Sign in with…’ service for a site means that the site delegates the authorization decision to the service you are using for the sign-in. So, it has not stored any passwords or other information associated with the sign-in token. So there is nothing to compromise here.

    Of course, if the service (Google, Facebook, Apple, etc.) has its password store compromised then you might be in a heap of trouble for all sites where you have designated that service as your login authorizer.

  3. Depending on how their service works, of course.

    For all the services I’ve worked with, you can always log in and revoke the authentication token, which would force you to re-authenticate on any service using the token.

    If one of them gets hacked, I would expect (once the hack is discovered) that they would summarily revoke all the tokens and force a password-reset on the next access. So a thief trying to access a site that relies on the token would need to re-authenticate, and should (hopefully) be unable to reset the password due to not having access to whatever service (e.g. a third-party e-mail system or 2FA) is required to perform that reset.

  4. I’ve been trying to delete my Plex account (never used) but got into a Kafka-esque nightmare of multiple clicking. You’d think that clicking ‘Delete account’ would do the business, wouldn’t you? But no, that resulted in an email instruction to reset my password. Has anyone successfully deleted a Plex account, and if so, how did you achieve that, please?!

  5. Update: I managed to delete my account this morning. At the previous attempt it must have got itself into some kind of loop about resetting the password.

Join the discussion in the TidBITS Discourse forum


Avatar for jcenters Avatar for aforkosh Avatar for jesse_the_k Avatar for drakewords Avatar for Shamino