A security incident that may involve your Plex account information
forums.plex.tvOnce I saw Plex required an account even to self-host, it was a no-go for me. Stuff like this is why. (among other reasons, like "why should I go through a 3rd party for something I'm 100% hosting on my own hardware/network")
I've been very happy with Jellyfin FWIW :)
I switched to Jellyfin last year and never looked back. The only thing I find lacking is the Apple TV App, I tried Swiftfin but it stutters the whole time when playing high quality UHD content. I tried Infuse and it works much better
Have you tried Infuse?
The big selling point of Plex vs jellyfin is that their app is in all of the major stores.Samsung smart TVs for example
I am a huge Plex power user; watching something at least once a day.
Unfortunately, Plex is a bit of a mess these days - constantly pushing Live TV on us, requiring internet access to access local media (this is a killer whenever internet goes down), overly complex, clunky remote access (altho this is much better these days). But it still isn't bad enough to make me try and migrate. I love my local setup (Sonarr and a custom app for movies as Radarr is OTT for the amount of movies we watch) and Plex is very polished (compared to the alternatives) but I do wonder how much longer it will be around.
Live TV is magical when you set up ErsatzTV and self-host that part as well. You can make channels out of anything. The modes of "I want to watch this specific thing now" and "I want to see what's 'on' right now and pick something to put on in the background" are very different and complementary. I end up relying on the latter more than the former.
> requiring internet access to access local media
Good news! You can whitelist exceptions by IP/subnet
Go into Plex Settings, then Settings > Network (show advanced). Scroll down to "List of IP addresses and networks that are allowed without auth"
"Comma separated list of IP addresses or IP/netmask entries for networks that are allowed to access Plex Media Server without logging in. When the server is signed out and this value is set, only localhost and addresses on this list will be allowed."
Put your local subnet and netmask into that (e.g. "192.168.1.1/255.255.255.0") and you should be all good
FYI, I also have "Secure Connections" set to "Preferred", but I don't know if that makes a difference for this or not
NO WAY!! I will check this out later! Thanks!
Conversely I love the plex tv channels as an alternative to regular australian free to air- same as the lg channels.
Easy way for me to turn my brain off and find a good documentary/educational show at the end of the day
I don't mind them doing it, but they shove it in my face constantly when I've clearly said I am not interested.
PSA: If you are the owner of your Plex server and follow the _Sign out connected devices after password change- as they suggest, your server claim will also be expired.
So you'll have to get a new claim from https://www.plex.tv/claim and set it on your server; through the PLEX_CLAIM env var if your setup involves Docker.
They talk vaguely about it under _Common Issues_ but it wasn't on the original email, so I lost 15 minutes of my day because of this...
Yep, this was a huge hassle for me, I didn't realize it would happen!
Another option is to do `ssh -L 32400:localhost:32400 <your-plex-address>` and connect to http://localhost:32400/web, it will let you claim the server as it detects the connection being local.
Thanks for the one-liner, solved it within 30 seconds!
I appreciate the transparency, but the phrase securely hashed always makes me a little nervous. It's a huge spectrum, right? We talking bcrypt/scrypt with a proper salt, or something from the old days?
When they got hacked three years ago the notice included this:
> Even though all account passwords that could have been accessed were hashed (with bcrypt plus salted and peppered) and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.
Whether that later changed for the worse is anyone's guess.
On a related note; if you're still considering whether you should put passwords, or rather, hashes thereof—in your application database of choice—please, decide against doing so at all costs! Instead, you should probably use a dedicated secret management deployment: think Hashicorp Vault[1], OpenBao[2], or Keto[3] if you'd like to go beyond with ReBAC (Relationship-based access control) of Google's Zanzibar[4] fame. The benefits of a HA deployment like this far outweigh the upstart integration costs as you get to use a single, shared frame of reference to reason about your internal and external resources alike. Customer passwords, passkeys, certificates, internal CA, ACME, at-rest, in-transit, what have you, is controlled from a single point of consumption with one policy space to rule them all. It helps to use dedicated HSM capability, too. In cloud environments, AWS Nitro enclaves exist now; you could put something like Vault inside one[5].
Vault is more or less Old Testament, though, so if you're serious about zero trust, Zanzibar paper is a must-read!
Relationships lend nicely to AI agent stuff, where RBAC is putting you at a disadvantage. It's hard to express both direct and indirect access patterns in RBAC. For example, whenever agents would act on your, or your user's behalf within a clearly-defined scope (sic!) This is where traditional RBAC breaks down, whilst ReBAC really shines for expressing relationships between user/agent/system identities, thus greatly simplifying checking, scoping, audit.
[1]: https://developer.hashicorp.com/vault
[2]: https://openbao.org/
[4]: https://research.google/pubs/zanzibar-googles-consistent-glo...
I can only comment that their communication on the incident is lacking, I've read about the incident yesterday and only today I received the relevant email. On top, it seems that all of a sudden I started getting marketing emails from them although I had unsubscribred in the past, coincidence?
I made an account there to use my Home Assistant as a media server and it's already the second time they reported that they messed up something. I heard you can install VLC on the Apple TV and stream through that, so I'll definitely do that and skip these weird middle companies.
Why not use Jellyfin then? It's basically an open source alternative to Plex. You run Jellyfin on your server and in Apple TV use Swiftin (Jellyfin + Swift) for integration.
I just use infuse or vid hub app and an SMB share.
Anyone remember a few years back there was a major Lastpass data breach?
I roughly recall Plex is somewhat involved in the compromise. One of the Lastpass employees compromised via Plex that leads to Lastpass data breach if I'm not mistaken.
Dupe?
https://news.ycombinator.com/item?id=45174684
(Or at least related, this submission has the plex.tv website breach notification, not just the text of the email.)
Maybe related to last month's serious vuln: https://app.opencve.io/cve/CVE-2025-34158
Thanks for the reminder. I went to reset my password when the email went out but when following the reset flow, I hit a Cloudflare page (due to the origin presumably having crashed) and got sidetracked
use zymotv instead of plex or emby
Is Emby somehow related to Plex?
I use Emby, only because a few friends did and recommended it. I'd probably switch ti something more secure and/or open source given the right push.
Emby and Plex are separate projects. Jellyfin is a hard fork of Emby.
Thanks :-)
From what I understand they're unrelated and the similarities come from convergent evolution.
Or better yet use Jellyfin.
I’ve been considering switching to Jellyfin.
I’m getting increasingly frustrated at just how badly Plex behaves for home set ups. Which is the entire point of installing something like Plex.
Most annoying still, I’ve even paid for their premium products in the hope that it would make things behave better and it did not.
The only reason these security incidents happen is because Plex try to extort home users. There isn’t any other compelling reason to have your details on their database with credentials to active installs.
I am part of a network of "Plex admins", meaning each one of us own and maintain their own Plex server with their own library.
Thanks to the centralized Plex account, we can share our libraries with each other in a few clicks.
You can do the same if you don't have a server also, basically being a member of various Plex server and accessing everything through a single account and interface.
Sure, requiring an account if all you want to do is being the single user accessing your own instance is useless, and if it's your usecase, then Plex is not the right tool for you.
I tried Plex, Emby and Jellyfin, but I staid with Plex because of this easy sharing feature.
I run my Jellyfin on a Pi 5 8GB (with a bunch of other homelab stuff) and run an OSMC (Kodi + Jellyfin plugin) on a Pi 3b 2GB with absolutely no issue. OSMC automatically integrates with my TV remote, runs very low power and smooth. I never used any of the Plex stuff that wasn't my media, so I prefer it this way. Less bloat, more customisable.