Media streaming platform Plex has warned customers about a data breach, advising them to reset their password.

Plex said an attacker broke into one of its databases, allowing them to access a “limited subset” of customer data. This included email addresses, usernames, hashed passwords, and authentication data.

“Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account… Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.”

Hashing is a way to protect users’ passwords by transforming them into a scrambled and unreadable format before storing them. Think of it like turning a password into a unique “fingerprint” made of random letters and numbers that doesn’t resemble the original password. This scrambled form is called a hash, and it is created using a special mathematical process called a hash function.

The main point about hashing is that it is a one-way process: once a password is hashed, it cannot be reversed or decrypted back into the original password. When you log in, the system hashes the password you enter and compares that to the stored hash. If they match, you get access. This means companies never store your real, plain text password, which helps keep your credentials safe even if their database is hacked.

The downside is that some systems are vulnerable to pass-the-hash attacks where an attacker can sign in by only knowing the hash. But those are mainly a concern in Windows network environments.

In the case of the Plex breach, pass-the-hash attacks are less of a worry for regular users. Plex uses hashed passwords mainly for user login access to its streaming platform, not for network-level authentication. Plex doesn’t directly enable attackers to authenticate anywhere else without cracking those hashes first.

However, as a precaution, Plex users should still follow the instructions from the company, below.

What Plex asks users to do

If you normally log in using a password: Reset your Plex account password immediately by visiting https://plex.tv/reset. During the reset process you’ll see a checkbox to “Sign out connected devices after password change,” which the company recommends you enable. This will sign you out of all your devices (including any Plex Media Server you own). After the reset you’ll need to sign back in with your new password.

If you normally log in using Single Sign-On: Log out of all active sessions by visiting http://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

For further account protection, we also recommend enabling two-factor authentication 2FA on your Plex account if you haven’t already done so.

Look out for any phishing attempts that may try to prey on this incident. Plex has said that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.