- cross-posted to:
- selfhosted@lemmy.world
- technology@lemmy.world
- cross-posted to:
- selfhosted@lemmy.world
- technology@lemmy.world
We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
You must log in or register to comment.
I seem to recall a lot of people saying this is exactly what they were worried about when Plex forced everyone to central authentication servers.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party.
Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.
Sounds like as far as security incidents go, this is as good as they can be. Sounds like someone got in and could maybe see some email addresses and not much else.
No security guy, but if the passwords were just hashed and not salted it’s not ideal. Better than plaintext for sure though.
EDIT: Plex employee confirmed they do salt (and pepper, which I’m less familiar with), the last time they were hacked and had passwords exposed, fwiw.
If they were hashed then they were likely salted too, not much reason to not do both. Especially since they said “in accordance with best practices”, otherwise they’re just lying lol. They probably just didn’t want to make the announcement too technical.
I choose to believe this lol
in accordance with best practices
They absolutely would have been salted, as that is best practice. Just not something the average Plex user understands most likely.
It’s such a pain. On the one hand, central account management has allowed me to easily explain to and sign up friends and family who don’t trust anyone except Google/Facebook/Netflix/etc but I also hate having these breaches happen.
I started converting an old email address years ago to a new email hidden behind an email redirect due to the amount of breaches the old one was involved in. An absolute pain to do but now I can just update the proxy email address in the face of a breach like this.
I use Jellyfin. I just give them the IP and they click their name, then I whitelist them.
“I don’t know. I’m not clicking a number thing.” - My normie family and friends. I have an address that literally my name. Like literally my legal name. And they’re skeptical of it.
Once while trying to troubleshoot something we wanted one person to install WireGuard. In his words “I’m not installing some random software I’ve never heard of just to fix this”.
Sometimes it’s worth remembering that the simple act of being here on Lemmy means we’re probably the most tech literate people we know and if you’re lucky enough to have a tech literate bubble around you as well then a simple invite to Jellyfin really is simple. But my group of friends are… less techy…
What do you do when your IP changes?
Give them the new one. It doesn’t happen very often. 3 months since the last time.
As for if their’s changes, they just let me know if they can’t get in and I investigate and it’s because I need to whitelist a new IP.
That doesn’t happen very often either, but I only have 2 people outside my house who use it.
