Plex User Passwords Compromised in Data Breach

Originally published at: Plex User Passwords Compromised in Data Breach - TidBITS

Streaming service Plex is warning users to change their passwords after user data was compromised. Here’s how to do so.

I opened my Plex account by signing in with Apple. The password shows as “not set” while my email is the typical random characters @

Does using Sign In with Apple mean I don’t have to concern myself with this sort of data breach?

I’d not, how would I go about updating my login?

You should be fine. Using a ‘Sign in with…’ service for a site means that the site delegates the authorization decision to the service you are using for the sign-in. So, it has not stored any passwords or other information associated with the sign-in token. So there is nothing to compromise here.

Of course, if the service (Google, Facebook, Apple, etc.) has its password store compromised then you might be in a heap of trouble for all sites where you have designated that service as your login authorizer.

1 Like

Depending on how their service works, of course.

For all the services I’ve worked with, you can always log in and revoke the authentication token, which would force you to re-authenticate on any service using the token.

If one of them gets hacked, I would expect (once the hack is discovered) that they would summarily revoke all the tokens and force a password-reset on the next access. So a thief trying to access a site that relies on the token would need to re-authenticate, and should (hopefully) be unable to reset the password due to not having access to whatever service (e.g. a third-party e-mail system or 2FA) is required to perform that reset.

I’ve been trying to delete my Plex account (never used) but got into a Kafka-esque nightmare of multiple clicking. You’d think that clicking ‘Delete account’ would do the business, wouldn’t you? But no, that resulted in an email instruction to reset my password. Has anyone successfully deleted a Plex account, and if so, how did you achieve that, please?!

Update: I managed to delete my account this morning. At the previous attempt it must have got itself into some kind of loop about resetting the password.