Plex Blog

Security Notice: Forum User Password Resets

Jul
02
2015
July 2, 2015 189 Comments

Updated July 6th, 2015: After thorough investigation by a team of forensic specialists, we’ve identified the source of the compromise to the forums server. As we had suspected, the attackers gained entry via exploiting bugs in the forums software, some of which may not be well understood or publicly disclosed, or have patches readily available. The investigation did not turn up any other compromised systems.

We’re continuing to investigate, but as you can imagine, it wouldn’t be wise to bring the forums back to life before being comfortable that we’re not vulnerable to the same attack. As such, we’re exploring all options, including migrating to new forums software. 

We’re committed to bringing back the forums as soon as humanly possible. We worked tirelessly over the holiday weekend, and will continue to work until the forums are back. We appreciate your continued patience, and apologize for this inconvenience.

Normally we’re super excited to hit the big green “Post” button on a fresh blog post, since it usually means we’re announcing something new and exciting. Unfortunately, the Internet can be a pretty rough place, posts like these are sometimes necessary, and we think it’s super important to share what we know to help keep you all safe.

At approximately 1pm PDT yesterday (July 1st) we learned that the server which hosts our forums and blog was compromised. The attacker was able to gain access to some personal information, such as IP addresses, forum private messages, email addresses, and encrypted (hashed and salted) passwords for our forum users. As a precaution, we reset the plex.tv passwords of all users with linked forum accounts and reached out via email with further instructions for those affected. At this time, our forums remain offline while we complete our investigation. All other systems are online and operational.

We have no reason to believe that any other parts of our system were compromised, and we never store credit card or other payment data on our systems.

It’s worth taking a moment to remind everyone that it’s super important to choose strong passwords, never share them, and never re-use them on different sites. Even better, consider using a password manager like 1Password or LastPass to create unique, strong passwords for all the sites and services you visit.

We’re very sorry for the inconvenience this has caused many of you. We’ll update this post with more information and status as soon as it’s available.

Here are some common issues which we’re seeing in the comments:

After changing my password, my account keeps getting locked: The most likely reason we’ve seen for this is if you’re running “plexWatch” or some other third party app. Either disable the app, or update the password in its settings.

After changing my password, I can’t access my server (remotely): If you reset all your devices as well, you’ll need to log into the server again, which is not the same as logging into plex.tv. You’ll need to access your server locally to sign in again. Read these support articles for help. If you’re not local to the server, read the last section in this article.

After changing my password, I seem to have issues matching, getting posters, etc.
Make sure your channels are up to date, as we pushed a minor fix due to the downed server. If you’re still having issues, restarting your server should resolve them.

UPDATE (7/2/2015): Added a FAQ section.
UPDATE (7/6/2015): Added updated information.

Categories: