Ahoy beautiful people of Plex! I’m here with a quick update about the recently-disclosed security incident over at Cloudflare, a web proxy service that we use extensively for several parts of our infrastructure. In some rare circumstances, data passing through Cloudflare may have been exposed.
tl;dr: Sensitive Plex user data like passwords and billing information do not pass through Cloudflare and are not affected by this issue. However, our www.plex.tv site and our forums, which are backed by Cloudflare, use automatically-generated “tokens” behind the scenes to sign you in. User authentication and login services are provided by plex.tv, which does not use CloudFlare. These tokens do pass through Cloudflare, so we’ve taken the precaution of invalidating them. You probably won’t notice, since we can usually automatically issue new tokens from information stored in your browser, but in some cases you may be prompted to sign in again.
If you’ve never heard of Cloudflare before, it’s because they generally go about powering large portions of the internet quietly and with remarkable efficiency. We’re huge Cloudflare fans here at Plex; lots of stuff from that beautiful artwork in your media library to Media Server downloads to this very blog are delivered around the world in no time thanks to them. We’d like to thank the good folks at Cloudflare as well as the top notch security team from Project Zero for handling this swiftly and professionally.
And it wouldn’t be a security post without a gentle reminder to pick strong, unique passwords everywhere, and in this case, keep an eye out for updates from sites that were affected and change those passwords. It’s still a harsh internet out there, stay safe!