Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Plex Database Hacked

Featured Replies

Just saw this posted on reddit.

 

Full email from Plex:

 

Dear Plex User, We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.

 

What happened

 

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.

 

What we're doing

 

We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.

What you can do Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password here.

We'd also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven't already done so.

Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses.

For step-by-step instructions on how to reset your password,

visit: https://support.plex.tv/articles/account-requires-password-reset

Thank you, The Plex Security Team

It is LEGIT. I got the email, and everyone I know did. Just changed everything without any issues. Make sure you guys click the sign out of all devices checkbox as well.  Had everyone who wasn't using MFA implement it. I suggest everyone do the same. I'm not worried, and I am glad they were up front with what happened. Other than that get LIFELOCK and HOME TITLE LOCK to round out your identity protection package. It has saved my butt a couple of times!

 

 

Edited by falconexe

1 hour ago, falconexe said:

Make sure you guys click the sign out of all devices checkbox as well.

Just to insist on the point, it's quite important.

Yeah Awesome. I am away from home, saw this and reset my password. Now I can not access my personal server running in Docker. UGH

  • Author
19 minutes ago, Barryrod said:

Yeah Awesome. I am away from home, saw this and reset my password. Now I can not access my personal server running in Docker. UGH

I don't run Plex but have seen others experience something similar.

Here's a possible solution:

 

For those running plex in a docker container (probably also applicable for other hosting) and who just reset their password: Do this:

Remove the preferences entries described in this article: https://support.plex.tv/articles/204281528-why-am-i-locked-out-of-server-settings-and-how-do-i-get-in/

After restart, go to https://www.plex.tv/claim/ and generate a new claim key

run this command in a terminal (adapt to your ip and claim)

curl -X POST 'http://127.0.0.1:32400/myplex/claim?token=claim-xxxxxxx'

3.1) Alternatively, run your docker container (or docker-compose) with the environment variable "PLEX_CLAIM=claim-xxxx"

After that, your server will be available again (you might have to configure it for online availability again. Go to "http://127.0.0.1:32400/web", log in, configure remote access in the settings)

Edited by Lolight

27 minutes ago, Lolight said:

I don't run Plex but have seen others experience something similar.

Here's a possible solution:

 

For those running plex in a docker container (probably also applicable for other hosting) and who just reset their password: Do this:

Remove the preferences entries described in this article: https://support.plex.tv/articles/204281528-why-am-i-locked-out-of-server-settings-and-how-do-i-get-in/

After restart, go to https://www.plex.tv/claim/ and generate a new claim key

run this command in a terminal (adapt to your ip and claim)

curl -X POST 'http://127.0.0.1:32400/myplex/claim?token=claim-xxxxxxx'

3.1) Alternatively, run your docker container (or docker-compose) with the environment variable "PLEX_CLAIM=claim-xxxx"

After that, your server will be available again (you might have to configure it for online availability again. Go to "http://127.0.0.1:32400/web", log in, configure remote access in the settings)

Yeah, but I am away from home right now LOL.

 

Either I have to wait til I get home OR I have to depend on the wife actually following some directions LMAO. Not sure which will be harder

Im having issue after reset the password even my server is up when i run plex i got server offline.

I've try to WEBUI to my plex server i got This XML file does not appear to have any style information associated with it. The document tree is shown below.

 

1 hour ago, feins said:

Im having issue after reset the password even my server is up when i run plex i got server offline.

I've try to WEBUI to my plex server i got This XML file does not appear to have any style information associated with it. The document tree is shown below.

 

Same issue here

The only things I changed after receiving the email about the breach were:

1. Password updated

2. Enabled 2FA

 

I restarted the docker container immediately after I did both of those things.

 

5DF94CAA-CAE7-42C4-BFD1-BB87E0B9CBCE.jpeg

Edited by LxLuthor

In the same boat... argh... anyone successfully get the claim token and stuff to work?  

2 hours ago, feins said:

Im having issue after reset the password even my server is up when i run plex i got server offline.

I've try to WEBUI to my plex server i got This XML file does not appear to have any style information associated with it. The document tree is shown below.

 

You have to "RECLAIM YOUR SERVER" (in plex server general settings".

4 minutes ago, doobyns said:

You have to "RECLAIM YOUR SERVER" (in plex server general settings".

I dont' have an option to do that. 

28 minutes ago, doobyns said:

You have to "RECLAIM YOUR SERVER" (in plex server general settings".

Unfortunately the server settings are unreachable since the server isn't actually fully starting.  So going to plex.tv and signing in, it'll show the server as unreachable and the only settings available are the Plex Web & Plex Account settings.  But the actual server settings are not available.

 

There's also no way to change it locally because of the XML error page.

Edited by LxLuthor

Ok, so just in case anyone has a similar issue to me... let me explain what I did.

 

I followed the directions above and removed the 4 parameters/variables from the xml file from the app data folder.  started up the docker and then was able to reclaim via the general settings.  While you would THINK this would be easy, my laptop was on a different subnet than the server and I NEVER got the claim option in general.  Once I thought about it and realized the laptop was not on the IOT network; I swapped over and now have the claim option.  

 

So, just in case anyone else is running multiple networks at their house, make sure you jump on the same subnet.  Not sure why that made a difference but it did.

 

Perhaps I didn't need to edit the xml file, so first try joining the same network just in case you run an IOT network like I do. 

Edited by dnoyeb

3 minutes ago, dnoyeb said:

Ok, so just in case anyone has a similar issue to me... let me explain what I did.

 

I followed the directions above and removed the 4 parameters/variables from the xml file from the app data folder.  started up the docker and then was able to reclaim via the general settings.  While you would THINK this would be easy, my laptop was on a different subnet than the server and I NEVER got the claim option in general.  Once I thought about it and realized the laptop was not on the IOT network; I swapped over and now have the claim option.  

 

So, just in case anyone else is running multiple networks at their house, make sure you jump on the same subnet.  Not sure why that made a difference but it did.

 

Perhaps I didn't need to edit the xml file, so first try joining the same network just in case you run an IOT network like I do. 

 

I don't even have an XML file in the appdata folder under Plex.  I have 5 empty folders.  Super odd.

The Docker I'm running has the Plex token in the Template. Can't I just edit it there?

Or do I need to generate the token first by doing everything suggested in that link? I'm not at home so I'm questioning things before I attempt them. Lol

 

Nevermind not the same thing. 

 

 

4 hours ago, Lolight said:

I don't run Plex but have seen others experience something similar.

Here's a possible solution:

 

For those running plex in a docker container (probably also applicable for other hosting) and who just reset their password: Do this:

Remove the preferences entries described in this article: https://support.plex.tv/articles/204281528-why-am-i-locked-out-of-server-settings-and-how-do-i-get-in/

After restart, go to https://www.plex.tv/claim/ and generate a new claim key

run this command in a terminal (adapt to your ip and claim)

curl -X POST 'http://127.0.0.1:32400/myplex/claim?token=claim-xxxxxxx'

3.1) Alternatively, run your docker container (or docker-compose) with the environment variable "PLEX_CLAIM=claim-xxxx"

After that, your server will be available again (you might have to configure it for online availability again. Go to "http://127.0.0.1:32400/web", log in, configure remote access in the settings)

I followed these instructions and it worked. thank you.

I stopped the docker container

I found the preferences.xml file under \UNRAID IP ADDRESS\applications\plexmediaserver\Library\Application Support\Plex Media Server\preferences.xml

I made a backup copy, deleted the keys:

    PlexOnlineHome="1" (note: I didn't see this one in the file)

    PlexOnlineMail="[email protected]"

    PlexOnlineToken="RanDoMHexIDecIALtoKeNheRE"

    PlexOnlineUsername="ExampleUser"

restarted the server

ran the curl command as above (with the new claim code)

All seems ok now (i.e. the red/white exclamations seem to have disappeared)

 

I had to reclaim my Plex server using a new Claim token after my password reset. I am using the official docker.

Ya I think the complexity for my setup was the different subnets and firewall rules between them.  Was unable to do the curl command successfully.  Anyways, looks like we have a few successes now in this thread with ideas for others to try!  

3 hours ago, TheWombat said:

I followed these instructions and it worked. thank you.

I stopped the docker container

I found the preferences.xml file under \UNRAID IP ADDRESS\applications\plexmediaserver\Library\Application Support\Plex Media Server\preferences.xml

I made a backup copy, deleted the keys:

    PlexOnlineHome="1" (note: I didn't see this one in the file)

    PlexOnlineMail="[email protected]"

    PlexOnlineToken="RanDoMHexIDecIALtoKeNheRE"

    PlexOnlineUsername="ExampleUser"

restarted the server

ran the curl command as above (with the new claim code)

All seems ok now (i.e. the red/white exclamations seem to have disappeared)

 

 

This process worked for me.  Just remember (unlike me!) that the claim token expires in 5 minutes.  I was banging my head against the wall trying to figure out why my terminal command wasn't working.

10 hours ago, Lolight said:

I don't run Plex but have seen others experience something similar.

Here's a possible solution:

 

For those running plex in a docker container (probably also applicable for other hosting) and who just reset their password: Do this:

Remove the preferences entries described in this article: https://support.plex.tv/articles/204281528-why-am-i-locked-out-of-server-settings-and-how-do-i-get-in/

After restart, go to https://www.plex.tv/claim/ and generate a new claim key

run this command in a terminal (adapt to your ip and claim)

curl -X POST 'http://127.0.0.1:32400/myplex/claim?token=claim-xxxxxxx'

3.1) Alternatively, run your docker container (or docker-compose) with the environment variable "PLEX_CLAIM=claim-xxxx"

After that, your server will be available again (you might have to configure it for online availability again. Go to "http://127.0.0.1:32400/web", log in, configure remote access in the settings)

 

5 hours ago, TheWombat said:

I followed these instructions and it worked. thank you.

I stopped the docker container

I found the preferences.xml file under \UNRAID IP ADDRESS\applications\plexmediaserver\Library\Application Support\Plex Media Server\preferences.xml

I made a backup copy, deleted the keys:

    PlexOnlineHome="1" (note: I didn't see this one in the file)

    PlexOnlineMail="[email protected]"

    PlexOnlineToken="RanDoMHexIDecIALtoKeNheRE"

    PlexOnlineUsername="ExampleUser"

restarted the server

ran the curl command as above (with the new claim code)

All seems ok now (i.e. the red/white exclamations seem to have disappeared)

 

 

YES! these instructions worked! what a clusterf*ck!! it should be easier to solve than browsing forums for an obscure solution!

10 minutes ago, ShadowVlican said:

YES! these instructions worked! what a clusterf*ck!! it should be easier to solve than browsing forums for an obscure solution!

I think it is for most people. :) 

Remember that the only people posting on the forums are those who have problems, not the large number of users form whom it works fine.

 

Took me 2 minutes, I did everything from the webgui and didn't touch any kind of files.

48 minutes ago, ChatNoir said:

I think it is for most people. :) 

Remember that the only people posting on the forums are those who have problems, not the large number of users form whom it works fine.

 

Took me 2 minutes, I did everything from the webgui and didn't touch any kind of files.

 

Same for me. I just posted to let everyone know that I didn't run into any issues, and that everyone should take this seriously and do it. Glad everyone is figuring it out.

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.