We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.  What happened An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication ...
Plex followed best practices and made sure that in the event of a data breach your accounts were safe, and alerted us promptly to the breach and reassured us that nothing private/of value was compromised.
JellyFin knowingly leaves multiple API endpoints with zero authentication.
I know which one I prefer, and it’s not the one with gaping security holes marked as “won’t fix”.
People don’t seem to understand that no-one can reasonably stop a breach today.
The question is whether the attackers got anything of value and how easy they got in.
This breach was, in fact, very preventable. Plex didn’t need to force users to authenticate with a central server to access their own self-hosted media in the first place.
That’s not how “preventable” works.