Plex Data Breach Security Incident: What Happened and What You Need to Do
On 9 September 2025, Plex issued a notice regarding a security incident. The company confirmed that an unauthorised party accessed a limited subset of its user database, exposing email addresses, usernames, securely hashed passwords and authentication data (Plex Forum, BleepingComputer, Cord Cutters News).
While the incident was contained quickly, Plex insisted that the impact appears limited (Plex Forum, BleepingComputer).
What Was Affected — And What Wasn’t
- Compromised: emails, usernames, securely hashed passwords, authentication data (Plex Forum, BleepingComputer).
- Not compromised: credit card data — Plex doesn’t store payment details on its servers (Plex Forum, BleepingComputer).
Important to note: “securely hashed” doesn’t mean the data is safe forever. Plex didn’t say which hashing algorithm was used, raising concerns about potential cracking risks (BleepingComputer).
Plex’s Response: Contain, Inspect, Fortify
Plex locked down the breach method and began further security reviews. They emphasised that no future incident should catch them unaware (Plex Forum, BleepingComputer).
In their announcement, Plex reassured users that they take security seriously — and that they detected this breach before it escalated (Plex Forum, BleepingComputer).
What You (Yes, You) Need to Do Now
Plex is asking all users to take immediate action:
- If you use a password to sign into Plex, visit https://plex.tv/reset and reset your password. Be sure to tick the box labelled “Sign out connected devices after password change” — that logs out all your devices, including your Plex Media Server, requiring you to sign back in (Plex Forum, BleepingComputer).
- If you use SSO (eg Google or Apple), go to https://plex.tv/security and hit “Sign out of all devices”. That step logs you out everywhere, necessitating a fresh sign-in (Plex Forum, BleepingComputer).
- Enable two-factor authentication (2FA) for an extra layer of protection — Plex strongly recommends it (Plex Forum, BleepingComputer).
Plex also reminded users that they will never ask for passwords or credit card numbers via email — if someone does, it’s phishing (Plex Forum, BleepingComputer).
The Echoes Online: A Dash of Insight
In forums, users are sharing practical woes — for example, some had to reclaim their Plex Media Server or re-authenticate on devices like Roku after resetting passwords (Cyber Security Connect).
Others emphasise this could have been worse if they used the same password everywhere. One user, shadowedfox, aptly summarised:
“Enable mfa (if you haven’t already) and change your password, move on with life. Breaches happen…” (Reddit)
Another, PM_ME_YOUR_MASS, asked about SSO users — a helpful answer reminded them that:
“Plex doesn’t have your password, as they’re talking to Apple on the backend…” (Reddit)
Context: Plex’s History with Security
This isn’t the first time. In August 2022, Plex faced a near-identical breach — similar data exposed and users asked to change passwords (BleepingComputer, UpGuard). That suggests either repeat targeting or broader systemic concerns.
Summary Table
| You Are… | You Should… |
|---|---|
| Using a password | Reset it at plex.tv/reset and sign out all devices. |
| Using SSO (Google, Apple) | Visit plex.tv/security to sign out everywhere and re-authenticate. |
| Concerned about security | Enable 2FA now. Avoid phishing attempts. |
| Worried about re-connections | Be prepared to reclaim your server or re-link devices like Roku. |
