A Plex data breach in 2022 exposed usernames, email addresses, and encrypted passwords. The company required all users to change their passwords as a precaution, and now history seems to be repeating itself.
The company is again emailing users, using virtually identical wording to describe to report a new data breach with the same data obtained …
2022:
A third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.
2025:
An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, and securely hashed passwords.
Last time the company forced a password change on all users. So far, it does not appear to be doing so this time, though there is contradictory language in the email being sent to users.
The introduction recommends, rather than requires, a password change:
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you immediately reset your password by visiting https://plex.tv/reset.
Further into the email, however, it describes a password change as mandatory, with a ‘what you must do’ heading.
... continue reading