California - Sep 09, 2025 (UTC) - Media streaming giant Plex is urging its 25 million global users to immediately change their passwords following a data breach that compromised customer account information from one of its databases.
The company disclosed the security incident on Monday, September 9, 2025, revealing that unauthorized individuals gained access to a limited subset of user data including usernames, email addresses, scrambled passwords, and unspecified authentication data.
“We are aware of a security incident involving the theft of Plex customer account information,” the company stated in an official forum post. While Plex emphasized that the passwords were scrambled using industry-standard hashing techniques, the company acknowledged uncertainty about whether the encrypted data could potentially be deciphered or used to gain unauthorized account access.
Immediate Action Required
Plex is directing all users to reset their passwords through the company’s password reset form at app.plex.tv/auth and recommends signing out of all connected devices as a precautionary measure. “We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to ‘Sign out connected devices after password change’, which we recommend you enable,” the company advised users.
Notably, Plex has not implemented a forced password reset across all accounts, a standard security practice typically employed by companies following data breaches involving password compromise. The reasoning behind this decision remains unclear.
Limited Details on Breach Scope
The streaming platform has provided minimal details about the incident’s scope and timeline. Key unanswered questions include:
- The exact number of affected users among Plex’s global user base
- When the breach occurred and its duration
- The discovery date of the security incident
- The specific method used by attackers to gain system access
- Whether any ransom demands were made
Plex stated it “addressed the method that this third party used to gain access to the system” but declined to provide specifics about the vulnerability or potential risks to customers.
Company Response and Investigation
The company emphasizes that the impact appears limited and is taking swift action to address the issue, according to reports. Plex stressed that passwords were hashed following industry best practices in their security notification to users.
When contacted for additional information, Plex spokesperson Jessica Finn did not provide responses to media inquiries by press time.
Security Context and Recommendations
This incident marks another significant security challenge for Plex, which previously experienced a data breach in 2022. Experts recommend enabling 2FA and unique passwords, as highlighted by recent vulnerabilities in streaming platforms.
The breach affects one of the world’s largest media streaming platforms, with Plex serving approximately 25 million users globally who use the service to stream personal media collections and access various entertainment content.
User Advisory
All Plex users are strongly advised to:
- Immediately reset passwords at plex.tv/reset
- Enable the “Sign out connected devices” option during password reset
- Consider enabling two-factor authentication for enhanced security
- Use unique passwords not shared with other online accounts
The investigation into the security incident remains ongoing, with Plex promising to provide updates as more information becomes available.
