Plex: Another data breach!

@evileddy · 2025-09-15 21:45 · plex

Looks like another plex data breach occured a few days ago:

17473092cf7b57158c59d03f99682aebbd324e05.png

https://forums.plex.tv/t/important-notice-of-security-incident/930523

-=[ What Happened ]=-

Plex recently confirmed a database breach that exposed account information. Email addresses, usernames, and hashed passwords may have been accessed. Even though Plex stores passwords securely, attackers can attempt to crack weak ones.

-=[ Immediate Actions: ]=-

1 - Change Your Plex password!!! -Go to https://www.plex.tv/ → Account Settings → Change Password

-Use a strong, unique password!!

2 - Sign Out of All Devices

-After changing your password, select "Sign Out of Connected Devices" to force a re-login everywhere. ( pain in the ass but better safe than sorry! )

3 - Enable Two-Factor Authentication (2FA)

-In Account Settings → Two-Factor Authentication, scan the QR code with an authenticator app (Authy, Google Authenticator, etc.).

-Save backup codes offline securely!!

-=[ Extra Password Stuff for fun ]=-

You can check if your old password appears in a known breach using a local linux bash script that only shares the HASH of your password and not directly in plain text using a simple linux bash script.

-=[ What the Script Does ]=-

passcheck.sh lets you test a password against the "Have I Been Pwned" (https://haveibeenpwned.com/) breach database without exposing the password itself.

The script converts the password into a SHA-1 hash and only sends the first five characters of the hash to the HIBP API.
This k-anonymity method means the full password and complete hash never leave your machine, so the check cannot reveal your actual password to anyone.

-SSH to your favorite linux box and create the script with nano:

nano passcheck.sh

-Paste this simple script into editor:

#!/bin/bash
read -s -p "Enter password to check: " password
echo
hash=$(echo -n "$password" | sha1sum | awk '{print toupper($1)}')
prefix=${hash:0:5}
suffix=${hash:5}
result=$(curl -s "https://api.pwnedpasswords.com/range/$prefix" | grep "$suffix")
if [ -z "$result" ]; then
    echo "✅ Your password was NOT found in the breach database."
else
    echo "❌ Your password HAS been found in the breach database:"
    echo "$result"
fi

-Save the file.

-Make it executable: chmod +x passcheck.sh -Run it: ./passcheck.sh

Example output of testing weak password: "connect1"

image.png

Example output of testing a more secure unique password:

image.png

Hope this helps and stay safe out there!!!

-=[ BONUS CAT TAX ]=-

20210903_161307.jpg

evileddy HIVE BLOG.png

#plex #security #linux #password #twofactor #breach
Payout: 0.000 HBD
Votes: 6
More interactions (upvote, reblog, reply) coming soon.