We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
What happened
An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.
What we’re doing
We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.
What you must do
If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.
Additional Security Measures You Can Take
We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.
Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.
For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset


It seems strange to me that you feel a service which forces you to log into a cloud service then leaks private data is somehow better than a service that allows users to operate strictly offline.
Feels strange to me that we just accept
comments like these that imply that jellyfin is a direct replacement for Plex when you yourself say it’s not. Especially an implication that you’d only “hack one” when the software itself has a massive gaping hole on ALL installs. Your only saving grace is if you deviate from “standard” install procedures.
I’ve already mentioned it several times. I want to dump Plex. I don’t like the SSO that they solely control. I don’t like many of the changes that they’ve made in the 12 years I’ve been using it. It’s still the best product for watching my content.
Nobody is running Jellyfin strictly offline. At the bare minimum people leave it internet connectable to grab metadata and other resources, and more realistically in the context of a topic about Plex, Jellyfin would need to be internet accessible because that’s why people are using Plex. The jellyfin devs have already made it clear they don’t care about security issues. Why are you trusting the software when they ignore simple to fix issues that have merges waiting but they won’t implement because “reasons”. What other issues could be lurking leaving you open for liability? If someone can show you an issue from 5 years ago that is categorically a security issue and the devs refuse to fix it… you should also be questioning EVERYONE who advocates it’s use to replace a service that’s meant to be accessible in the way Plex is.
Edit: adding a little bit… forgot about it.
I didn’t say that. I agree with it though. They aren’t 1:1.
I’m not arguing with me about the merits of you using Plex. Entirely possible it suits your needs better. But most important to many of us is the ability to run offline. Once you’re online, you’re right that Jellyfin has some ground to make up.
I run it offline, in a network that doesn’t even have a path from the outside world. I have a separate gluetun network for getting metadata outside the media server. Even still, connecting to the internet is a vastly different security service that allowing connections from the internet.
I wouldn’t even really debate any of your negative points about Jellyfin; all true. I’m just saying Jellyfin is a replacement for Plex in many cases, even if not yours. For me, where I want to run offline a service that doesn’t force me to log into a cloud server to watch my own stuff on my own network, it is a replacement. And on top of that, I just like it more. I like the interface more and feel its syncplay is less problematic.
I was referencing the picture… which was the original comment I replied to. I recognized that your comment delineated that jellyfin should be offline. I appreciate that. I wish I saw more of that. This way we don’t screw the new people to our media hoarding ranks. (I mean seriously… There’s people like this out there… https://www.shodan.io/host/180.125.230.199 They’re part of this community… somewhere.)
It is… And I’m actually quite jealous that you have people using your server that you can watch movies together with… and are all using and capable of using a tunnel service without stupid amounts of support or other equipment limitations (good luck getting a vpn working on a Roku tv!). But if I want to syncplay with my family… plex is the only sane answer, regardless of it’s functional flaws.
Edit: or even worse… This person…https://www.shodan.io/host/136.61.116.233 Where you can see the jellyfin service user that has a valid login on rdp… and their jf is accessible at jellyfin.nonooculusnas.com. It’s even behind Nginx Proxy Manager! (which is recommended by the JF dev team) Yet still responds to probing for content…
If I were you, I wouldn’t even let the others flabbergast you!
Thank you so much for providing so much detail in your comments. I have actually learned a thing or two about Jellyfin. I, like you, am wanting to get off Plex ASAP, but haven’t had the time to sit down and go through with it just yet. Thanks to you, I see those Shodan examples you provided, and the fact that their freaking LOGIN shows up is beyond scary to me.
I appreciate what you have shared. Thank you!
eh, I’m probably pretty grumpy about this discussion because I keep having the same exact 4-5 talking points “discussed” over and over just every few months. So I get that I’m probably not the most fun to interact. But this is the point. If nobody ever brings up these issues (including the JF devs themselves on their install documents) then we end up with more people like these shodan people.
The JF devs had a 5 year opportunity to close one massive big hole, that would have been simple and easy. The issues related to it are well known to the dev team and proof of concept was submitted over 5 years ago to them. They actively refuse to merge the code that would fix it because of “reasons” (most cited being “compatibility” with some players). And the most cited solution is “reverse proxy”, which is fine… but don’t resolve the problem on it’s own. Case and point with the second shodan link you can reach their instance and you can try the calls and it still “works” even though it’s behind NGINX.
This is a massive problem that isn’t being abused yet that we know of… but that problem is in EVERY JF instance… and has been the whole time JF has been a project since that problem was in the version of emby that JF is forked from. So to say that “Plex bad cause security!” when they specifically notify and do the “right” things in response to a problem is crazy when JF’s answer has been literal crickets for half a decade.
But yeah, Shodan in general is a really fun tool. It’s good habit to check your own stuff out and see what you’re exposing to the world that’s just findable.
Here’s another thing lots of people overlook. If you use let’s encrypt or some other service… look into pulling wildcard certs instead of your specific jellyfin subdomain. https://crt.sh/ and other sites will record every public cert that’s registered. Pop your own domain in… Can search for all sorts of stuff this way too.
I’ll be honest, even this is all new to me. I’ve had troubles wrapping my head around certs and ports, so I’ve always just never even tried anything that would make a port available (as far as I am aware…) so your points have at least reached an audience who appreciates the examples you’ve provided.
Feel free to ignore if you don’t have the mental energy or will to, but where could I find a good source for learning this type of stuff without finding out the hard way like some of those poor people on Shodan? You’ve awakened a fear I didn’t even know I had. lol
Well… I’ll be blunt here. I taught in an R1 institution for a bunch of years. Even people graduating with a Masters in the IT field can know very little about these subjects (which could be a statement of the program itself… but in my opinion mostly of the students lack to join concepts together as I literally had many of those students go through my security and operations classes). It’s possible for the best of us to be blind sided by random things that we didn’t recognize as a problem because we didn’t realize that concept x and y are related. I’m no exception to this and never claimed to be.
IT is a big field and security a hot-button, constantly growing, subfield of it’s own. Which doesn’t help… it’s breakneck to keep up with.
I don’t know of any single source of truths to give you here. Some basic tenants of security… Security through obscurity doesn’t work. Expose as little as you can. Keep everything you can behind some form of trusted/audited auth unless you really want it to be abused. Keep backups (3-2-1) of anything you care about. Encrypt wherever possible. MFA/2fa everything possible. Don’t reuse credentials. I’m sure there’s more that others could chime in with.
Ultimately all you can do is minimize your risk pool. It’s impossible to completely negate it. Keep an eye out on cyber news so you can learn the “new hotness” of the week as far as how things are getting attacked. It’s not necessarily something that needs to be feared, as long as you understand the risks.
You can probably start going through resources like https://www.w3schools.com/cybersecurity/ if you really want to pick up on the basics of stuff out there. And I don’t mind legitimate discussion most of the time if you want to talk about stuff, as grumpy as I might sound, I used to be an educator and have no problems with talking about the stuff I know. Though I am quite sardonic these days, it’s just my cope with the world as I see it fall apart.
The number one thing that helps learn all of it though… a homelab. Every. Single. Student I’ve ever talked to I told “get a homelab, try shit out”. In the context of my classes though, that also meant “try breaking it” too.
Thank you so much. Your knowledge is valuable to someone like me, at least!
I would assume the only thing I have exposed is Plex, since that’s the only thing I access outside of my home. I got the backups down pat now (through learning the hard way, unfortunately…). I use MFA for everything that offers it. I never use the same password for anything.
Seems like my trepidation for online stuff has helped me some in this case. I will definitely be checking out the w3schools, so thank you so much for providing that link!
All in all, your words have helped me today at the least, so I very much appreciate you taking your time to respond and help educate me. It means more than you will probably ever know. I don’t have tech people in my life, and have never had that. I’m the only one in any group I interact with that has any slight interest in technology. I learn best when it is under someone who knows what they are talking about or at the very least can provide ways to explain things.
Anyway, again, sincerely, thank you!