Media streaming platform Plex suffered a data breach where an unauthorized third party accessed a subset of its customer database. The compromised data included email addresses, usernames, and securely hashed passwords, though no payment card information was exposed. While Plex claims the passwords were hashed per best practices, the lack of transparency about the hashing algorithm raises concerns about potential cracking attempts. The company urged users to reset passwords, enable two-factor authentication (2FA), and log out all connected devices to mitigate risks. This marks the second such breach in under a year, with a nearly identical incident occurring in August 2022, where authentication data was similarly exposed. Plex stated it had addressed the breach method but provided no technical details. Customers were advised to remain vigilant against phishing attempts, as the company emphasized it would never request passwords or credit card details via email.

Plex is facing a critical security risk due to CVE-2025-34158, an improper input validation vulnerability in its Plex Media Server (PMS) software, affecting versions 1.41.7.x to 1.42.0.x. Despite a patch being released in version 1.42.1, over 314,000 internet-exposed instances remain unpatched, predominantly in the US and Europe. The flaw carries the highest CVSS score, enabling remote exploitation without authentication or user interaction. Successful exploitation could lead to a total loss of confidentiality, integrity, and availability, allowing attackers to access, corrupt, or delete private media data, crash servers, or use compromised systems as footholds for further attacks—as seen in the 2022 LastPass breach, where a Plex vulnerability (CVE-2020-5741) facilitated malware deployment on an employee’s device. While no public PoC exploit exists yet, the ease of exploitation and historical abuse of Plex flaws heighten the risk. Users are urged to update immediately and secure access controls to mitigate potential breaches.

A server hosting the forums of Plex, the popular digital media streaming service was hit by a ransomware attack in July 2015. The attack compromised personal information including customer data, software, files, email addresses, encrypted passwords, and other data. The firm declined to pay the ransom to the hackers to delete the stolen information from them and restored its systems from backup.