Plex Media Streaming platform suffers data breach affecting user account data
Take action: If you are using Plex, immediately reset your password, log off from all devices and log in again. And if you receive an email claiming to be from Plex with a link to reset a password, DO NOT click on the link. Go to plex.com and reset the password from the official website.
Learn More
Plex, the popular media streaming service and client-server media player platform is reporting a security incident that exposed sensitive user account information.
An unauthorized third party accessed a limited subset of customer data from one of the company's databases, compromising authentication credentials for users across the platform. The incident was detected on September 8, 2025 and per company information was quickly detected and blocked.
The compromised data includes:
- Email addresses
- Usernames
- Securely hashed passwords
- Authentication data
The nature of the attack and the number of affected individuals is not disclosed. The streaming platform stressed that any account passwords that may have been accessed were securely hashed.
Plex is requiring all users to immediately reset their account passwords as a precautionary measure. Users are being directed to reset their passwords at https://plex.tv/reset and are advised to enable the "Sign out connected devices after password change" option during the process. This action will automatically log users out of all connected devices, including Plex Media Servers, smart TVs, mobile applications, and other streaming devices, requiring fresh authentication with the new credentials.
For users who access Plex through Single Sign-On (SSO) services such as Google or Apple accounts, the company recommends logging out of all active sessions by visiting https://plex.tv/security and clicking the button that says "Sign out of all devices". This measure ensures that any potentially compromised authentication tokens are invalidated across all devices and platforms.
The company is also reminding users to enable two-factor authentication for added protection and stresses that it will never ask for passwords or credit card details over email.
Plex has warned users to be careful against potential phishing attempts that may use this incident. Cybercriminals often exploit data breaches to launch targeted social engineering attacks against affected users.
