We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
What happened
An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.
What we’re doing
We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.
What you must do
If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.
Additional Security Measures You Can Take
We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.
Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.
For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset
You must log in or register to comment.
Why is plex being targeted. Plex is innocent I say.
How to be innocent (not really): Step 1. Insist that users absolutely MUST use your cloud server for every login into a self-hosted tool on their own hardware. Step 2. Have shit security. Step 3. Ow wow, now users’ data is all over your systems! Hackers clap their hands and do a happy dance. Step 4. Send out “we’re sowwy” email.
Easiest decision to delete an account I’ve ever made.
Man. My decision to go with Jellyfin just keeps paying off more and more
No doubt. Why do you need an account on their servers to use a server on your own hardware? So dumb.
The second I saw that I immediately looked for alternatives and abandoned plans to have my own Plex server. I knew it would enshittify fast when they can lock you out of your own server
fuck plex for plenty of other reasons, but you can disable authentication on your local network.
Just a matter of time until they remove that
For me… my server software is running. But the account doesn’t see it. And as such I can’t claim my server to get it back up and running.
Fun times. Glad I changed my password. :/
If you just changed your password and now you don’t have access… Directly connect to the server http://<serverip>:32400/web and you’ll get the setup prompt to connect it back to your account.
If that doesn’t work you can restart the server and try again (should catch up that it’s unauth’d). Or run a tool like https://github.com/ChuckPa/UserCredentialReset to reset it so you can reauth it.
jellyfin is goated. Long live jellyfin!
Y hope you know how to harden jellyfinn, because they are not better than plex team…
My Jellyfin is behind a Crowdsec + Cloudflare proxy with geoblocking and other protections + Reverse Proxy with additional protections, in a rootless Docker container with no access to the Docker socket, and has only access to a mounted folder which contains just downloaded movies and shows. The effort to break in is high, the reward very low.
But the most important difference between Jellyfin and Plex is that neither Jellyfin devs nor Jellyfin instances have any personal or credit card information from their users, and therefore are way less a problem if hacked into.
Good to read you know how to implement some protection layers around your jellyfinn :)
But most of the people (specially the plex ones) don’t have the technical background to deploy something like you have, and convince those people to do the switch without knowing how to protect themselves is not a wise thing to do. Specially when this time, plex response was perfectly fine :)
Good luck getting a similar reaction to the myriad of security issues Jellyfin has
Yeah, but you can run jellyfin with local accounts, entirely within a VPN. Pretty much makes most security issues irrelevant.
Which is the exact mindset that enables Jellyfin devs to not fix those issues, congratulations
Maybe? Like, I’d very much prefer they fix them, even though they do not impact my use case. Still, they don’t.
I don’t mean to come across as confrontational, but, maybe stop defending it then? You can keep using and liking the software while still holding the devs accountable for what is basic modern web security.
If all the Jellyfin users I saw acknowledging the issues actually stopped acting like it was a non issue, maybe the Jellyfin devs would do something about it.
I received this email, but two of my users who have their own accounts (not just profiles on my account) did not receive this. Thinking only server owners were affected?
Nah, only server operators were notified. Assume all accounts were affected.
4h edit: well then. Seems like this statement may not be true and my account may actually be out in the wild with you filthy sluts. Going to check tomorrow morning and might shut the whole thing down.
Negative. Had a Plex server and lifetime pass forever and I didn’t receive squat.
Same. This post was the first I heard of it.
That’s interesting. I’ve never let it outside my LAN so I don’t really feel affected, I also didn’t get an email.
ope: I lied. got the email 2 hours ago.
Keep in mind that the only reason they deny you the ability to log in to your own local service with your own local sign-in method is that they may upsell you on their cloud junk. If there’d be no cloud account involved - your data would not be at risk and/or leaked. They endangered your privacy for marketing purposes.
If you have not moved off of Plex - do it now. This company is fully rotten.
The email they sent out has
reply-toaddress that conveniently does not work…But brooo, don’t you know you need to have a cloud login. You neeeeeed it broo, so they can have all your info leaked bro. How else can I give access to somebody if I don’t pay 200+ bucks for the privilege of accessing my own library bro.
Data leaks happen bro, no need to worry it’s the third time in a decade. This is a text book pro response anyway, they deserve more money bro.
How dare you suggest people use another software bro, they deserve your money each month, not these leeches giving you free software. Plus Plex is so much more secure anyways, just look at them getting hacked bro. Your jellyfin is so insecure you need a PhD in cyber bro-security to even think about doing it. Look at all the jellyfin instances getting hacked every day. Someone could even guess a UUID and access 10s of playback of my pirates movie bro, see how it’s so full of holes bro
I guess I’m going to find out if they really deleted my user data when I asked them to
Narrator: Jesus fuck, I have to say the line again?
I harbor a strong dislike for the profiteers at Plex but their security incident response is textbook correct. Good job security dudes! The rest of your stupid company should listen to you more often.
It shows how low the bar is, that just bare bones complying with GDPR notification requirements so as not to risk a €20M fine, is enough to make people talk about how good a job you did.
As I slide the needle from “strongly dislike” to “not a fan”.
Good on em
I do think they missed a bit about password reuse, since they tell you to reset the password on their site, you should be changing the password on any other sites where you reused it. But yeah, not arguing about it being good otherwise.
Huh, I guess centralizing all of that userdata was a bad idea. Weird. If you hack some dude’s Jellyfin, you just hack some dude and no one else.
Q: How can you tell someone uses Jellfin?
A: Don’t worry, they’ll tell you!
How do you know someone uses Plex ?
They’ll tell you they got the lifetime for only 299 and it’s a steal you should buy it tooHow do you know someone uses Plex?
Check their browser history for ChatGPT queries on how to connect to 192.168.1.1.
You don’t even have to hack jellyfin though. Quite a few endpoints aren’t behind authentication at all.
But that doesn’t help your case so I’m sure you’ll just downvote me.
Edit: For those who don’t know. https://github.com/jellyfin/jellyfin/issues/5415
Several issues. Some require being logged in with any account (to get other user information on the server, including admin)… others are endpoints that let media access if you guess a guessable md5 hash(which is normalized in docker setups in general… and standardized by *arr setups. So highly guessable if you use these tools… which most of you are). The sort of thing that media companies will absolutely abuse eventually if they’re not already doing it to collect proof that you’re hosting their content illegally. But I just find it laughable that this is the answer… but ya’ll are frothing at the mouth over plex leaking an email address… Oh no! not the email address you already get boatloads of spam at! However will you live!
Endpoints that dont give you any data that would be considered a breach.
That unauthentic endpoint shit is so overblown. They should be authenticated and I hope it changes in the future, but its really not a serious issue. If they worry you, put the endpoints behind your own authentication through your reverse proxy.
Complete access to your media without authentication isn’t “don’t give you any data”.
Meanwhile you’re all frothing at the mouth cause Plex leaked email addresses and encrypted passwords.
And you’re correct. It’s not a breach… because it wasn’t protected to begin with.
Edit: You ninja edited your post… bad nettiquette.
put the endpoints behind your own authentication through your reverse proxy.
Breaks every app for jellyfin including tv apps. So no. that’s not a valid answer.
Edit2: And I want to be clear about this… I don’t simp for Plex I want off of the platform too… But Jellyfin in it’s current state is a much worse security nightmare IMO. I can at least kill the plex relay binary and packet sniff it to know that it’s not sharing data I don’t want it to share. Jellyfin just lets everyone in that can guess a filepath (which you can “fix” by obfuscating it… but ask any security professional about that.) and somehow Jellyfin is the messiah? Devs ignoring a 5+ year old issue that already proof-of-concepted… is wild.
Complete access to your media without authentication isn’t “don’t give you any data”.
The media on my server is not what I’d consider private data, it’s just media. If someone wants to spend their time brute forcing randomized UUIDs to have a minuscule chance of viewing some media on my server, then I really couldn’t care less. Especially since they’re gonna get blocked by http probing detection after a few tries.
If someone could the emails and hashed passwords, then I would care about the spam I’d be constantly receiving after and the possibility of my friends and family’s passwords being exposed, as not all of them use secure passwords (despite my best efforts to convince them to change that).
Simply put, if I was using Plex right now, this breach would impact the many family members and friends using my server, something I’d feel guilty about. Meanwhile, with Jellyfin, none of these concerns would have any effect on them.
Edit: You ninja edited your post… bad nettiquette.
I edited it right after posting because I accidentally clicked post. Didn’t think you’d respond that fast.
Meanwhile you’re all frothing at the mouth cause Plex leaked email addresses and encrypted passwords.
This was my only comment in the thread. Kinda feels like your reply here is taking out your frustration with this entire thread on my reply.
put the endpoints behind your own authentication through your reverse proxy.
Breaks every app for jellyfin including tv apps. So no. that’s not a valid answer.
I assumed you were talking about stuff besides media playback. There are other endpoints that can be secure using your reverse proxy without breaking any apps.
Jellyfin just lets everyone in that can guess a filepath
That’s not how the endpoint works. It is a randomized UUID.
Depending on your security posture, this may be an issue for you. It is not for me, and likely is not for many other users. My media is not sensitive information. My email and other identification info is.
Edit: formatting
That’s not how the endpoint works. It is a randomized UUID.
It’s not. It’s an MD5 of the filepath. UUIDs are generic and random, not specifically tied to something.
https://github.com/search?q=repo%3Ajellyfin%2Fjellyfin+md5&type=code
If you do a basic search, you’ll find that most api endpoint generated values are simply md5 of the filepath. And they just call this a GUID in the code… it’s not. It’s completely determinable. And the problem with this is expounded considerably if you use a default docker config (so folder path is known) and an *arr stack (so filenames get standardized). How many people modify these things significantly? Pre-hash a few permutations and just check away… Get someone like Sony (who’ve installed rootkits on people’s computer before… so they don’t give a shit), and now you could find yourself in court.
https://github.com/jellyfin/jellyfin/blob/3936fc9f253d15ae31afbdfe5fcf1684c441263c/Jellyfin.Api/Controllers/VideosController.cs#L315 is the api call itself. No auth.
Depending on your security posture
Is exactly the problem I have though with the evangelical preaching all about jellyfin here. I’ve brought this topic up probably about a half dozen times in the 2 years I’ve been on lemmy… and a while longer before on Reddit. DOZENS of people comment the same things you are… and get it completely wrong. And many more end up messaging me or responding that they had no idea this was an issue. Yet I continue to see people singing praises of Jellyfin! and how it must be so much more secure! When it completely isn’t. So many people brush it off… then flip their shit about Plex doing something.
Especially since they’re gonna get blocked by http probing detection after a few tries.
If we’re talking “mitigations”. Plex is more secure by default… and if you want to get off their auth… you can access your network via VPN and set the VPN subnet as “local” so you don’t have to do their auth. But at least plex doesn’t just let unauthed people access whatever they can guess as a default out the box option. And certainly don’t have any security issues sitting around for 5+ years waiting for a dev to do something about it.
Edit: forgot to finish a thought. Finished it.
Edit2:
This was my only comment in the thread. Kinda feels like your reply here is taking out your frustration with this entire thread on my reply.
Which immediately points to Jellyfin… as if it was “better” somehow. while downplaying the actual issue without actually reading what I’m complaining about
That unauthentic endpoint shit is so overblown.
Overblown if you have mitigations? Sure… but how many do? And why are we treating software that is taking actual actions to better security as “Worse” than something that can’t clear a simple problem in 5+ years because devs don’t want to “break compatibility”.
Edit3: OH! forgot this as well… “well they’d need to know where to find servers before they can access them to check!” Yup… hello shodan! https://www.shodan.io/search?query=jellyfin Would be trivial to make a script that does all of this and crawls shodan or other sources for domain/ip information. Hell you can probably just look up all LE certs issued that contain “jf” or “jellyfin” or other permutations of subdomains too. But shodan has a list of 11,788 when I check… that’s not insignificant…
Love you for still trying. I don’t know how often I’ve written the same comment. They simply don’t care.
I think people think that I’m anti-jellyfin or something. I’d love to dump Plex… I WANT to dump it so bad (basically the day they did the arcade shit I’ve been highly turned off, what was that? 6 years ago?). But Plex is the best tool for what I need. Jellyfin could be there… But it’s not. Everytime I see it recommended blindly without the massive caveats (especially in the context of a random Plex fuckup that is substantially less of a problem) I just feel compelled to attempt to remind people. I dunno. Deaf ears maybe… but blind trust just because it’s open source isn’t the answer either. And honestly it turns me off contributing to some of the projects that I do because if I was to speak out about problems in those… how many people would listen?
The most succinct response I’ve seen on the matter “The statements The Jellyfin Project makes about exposing Jellyfin directly to the Internet, without a reverse proxy, is less about Jellyfin being insecure and more about there being no effort made to make Jellyfin secure.”
I gotta say, “I’m sure you’ll downvote me” is a bitch-ass pre-complaint. you can just make your case and see what happens first.
you can just make your case and see what happens first.
Oh… You mean like half dozen or so times that I’ve already brought this up over the past 2 years on lemmy, and a while before that on Reddit? It’s only after I write a whole book on the matter that the upvotes kick in. And these discussions ALWAYS end up with much higher downvote ratios than most of the other stuff I comment on. Up to and including getting called names like “shill”.
Example of the last time this was brought up that I participated in… https://slrpnk.net/comment/15703455 (which got mod removed it seems… it’s still accessible to me on my server at https://lemmy.saik0.com/post/1622830) which was the “news” of a plex staff member leaving a comment for the plex app on the Google Play store…
Or this time… Where we were all complaining about the app redesign (which I also hate) https://lemmy.saik0.com/post/1517257… The root comment was lemm.ee though… which is gone. My comment starts at https://lemmy.saik0.com/comment/4476520.
I’ve discussed the matter ad nauseum… and more often than not it’s received pretty poorly. It’s not a cop out or “bitch-ass pre complaint” when I have the history to point at.
Edit: Oh and here too… https://beehaw.org/post/19228632
so what, first of all, you’re just assuming the person or people reading your comment will do the same thing that’s been done to you by others before, which is weird. I’ve had the same kind of comment downvoted and upvoted on different threads. not everyone sees every comment…
but even if you were 100% right, it’s still a bitch-ass pre-complaint. it’s one thing to start with “this is gonna be downvoted to hell but I’m still gonna say it” or something along those lines… what you said was specifically about the person you were replying to, and you even gave a reason like “oh this is gonna hurt your feefees so you’re gonna downvote it” it’s just weird. the vibes are off.
Have you tried being less of a prick about it?
I find I’m less of a prick about things if I’m not called things like “prick” and “shill”.
Yet here we are. You’ve fulfilled the prophesy! Thanks for making the world a better place.
Bruh. You were being a prick about it long before he called you out on a being said prick. It’s why he called you a prick.
I feel at this point that you just wanted to write “prick” as many times as you could in one sentence… Have at it.
Good job! You understand that servers serve data! You are very smart!
Do you think your bank serving your data/account access to someone that isn’t you would be acceptable?
After all, their servers are just serving data, therefore they’re correctly doing their job, right?
Good servers would serve data only to those authenticated to receive it! Which Jellyfin clearly isn’t.
You’re literally in a thread where the OP topic is Plex getting hacked. I guess more secure on paper is good enough for willful ignorance.
I’m in a thread where Plex admits, responds, then TAKES ACTION. Versus the open source project that’s known about an issue for 5+ years… and sticks their fingers in their ears and tells you that you’re the problem.
I guess that we’ll just reward that project that’s lucked itself into not having an issue rather than a product that actually is trying.
Edit: Oh… and the actual “loss” of data matters here… My email isn’t special. My username isn’t special… The hashed and salted password isn’t special to me. None of this data matters to me in the slightest in this instance. However, potentially probing the content on my server directly DOES matter to me.
I’m in a thread where Plex admits, responds, then TAKES ACTION. Versus the open source project that’s known about an issue for 5+ years… and sticks their fingers in their ears and tells you that you’re the problem.
If installing wireguard and using proper opsec is hard then I guess they’re right.
I guess that we’ll just reward that project that’s lucked itself into not having an issue rather than a product that actually is trying.
You paid good money for it. Should Jellyfin users get a refund? PM me, I’ll send all of you $0 in XMR.
Doesn’t matter if your info is stolen?
Name email address, password, access history, and probably IP and location…
And that’s just what they disclosed, but they don’t have any timeline or real actions taken to prevent continued access. They don’t even tell you what exactly has been accessed: “information that was accessed included emails, usernames, securely hashed passwords and authentication data.”. It’s really not text book response for a security breach.But all of that is less important to you than the fact you have Avengers: Endgame in your library?
They are leeches taking money from you, but you 'd defend them even if they killed your dog.Edit: it’s the third time in a decade Plex got hacked. Please list instances where jellyfin leaked the data of all their users.
I geoblock everywhere but my home town and VPN everyone else, plex kiddie. If Jellyfin can’t do security, do it yourself and get to whitelisting and blacklisting. You can, can’t you, or do Plex users get confused when they see a wireguard private key?
Weird, I’d more think Plex users to be the lazy type to install their systems by copying and pasting from ChatGPT.
Personally I wish I could just make authentication optional on my jellyfin just like it is for peertube and funkwhale.
That would be a perfectly valid answer… But the Devs have posted several times that they’re not interested in resolving it.
I’d accept a checkbox on install of Jellyfin for “Check this box for better security… some unsupported software might not like this. Go to Options/blah/blah to change this later if you need to change this later.”
I’d probably shut the fuck up about this whole thing and dump Plex. But every single time Plex ends up in an article there’s people singing praises about Jellyfin when there’s completely open endpoints… It just baffles me. Downvotes be damned, I’ll bring it up though when I see it since the devs won’t bother telling people their software has a potentially big problem (especially if you use default configs, docker, and *arr stacks).
Well its good to make sure people know about it, but I would think most admins already know and just don’t care. Its certainly not news to me, and doesn’t seem very useful in terms of actually exploiting anything.
I’m curious what youd think a kind of worst case scenario would be for any of the current jellyfin auth issues. Like what would someone with bad intentions be able to do?
I think the Plex issue with emails being stolen is a bigger problem because then those emails can get phished for their Plex accounts and possibility more. I still wouldn’t consider it a huge deal though, Plex handled it correctly.
My real issue with Plex and why I constantly shit on them is that they stole from XBMC and made a business model that monetizes piracy or at least tries to.
Stolen is a bit loaded in my opinion… XBMC was open source. All the parts that rely on that are available for free. Lots of websites out there sell shit… and run off of NGINX or Apache. taking open source things and building on them is common at this point.
I’m curious what youd think a kind of worst case scenario would be for any of the current jellyfin auth issues. Like what would someone with bad intentions be able to do?
Edit: Fuck, hit enter early… one moment. Edit2: here we go…
you have your setup… you configured it like the git repo said too and even used the container guide told you to (https://jellyfin.org/docs/general/installation/container/). You have now standardized the path… because the internal path that is recommended in the official compose will likely not change… (especially in the linuxserver version, https://hub.docker.com/r/linuxserver/jellyfin). Then you hear about *arr stack stuff and how people evangelize that on this platform too ( I’m one of them!). Standard naming convention gets applied there too…
So now bigbucksbunny.mov is stored on /data/movies/bigbucksbunny(2008)/bigbucksbunny.mov. You can pre-calc that md5 hash and probably nail people right now and get a result. Now be SONY or some other lawsuit happy studio. Grab a list of all your releases and precompile common paths and names (this would like be something that an LLM would be good at doing… fetching lists of paths that people post on reddit and other places)… generate the MD5 list. Maybe 1000 permutations of your top 10 movies… bonus points if there’s no physical release (since you could claim that you ripped the content yourself… can’t do that on streaming only content). Curl through the list of 10000 variants… if you get a hit on anything then you know they have your content… and it’s publicly accessible (which could be argued in court for distribution… though I’m not a lawyer and don’t know how reasonable that is.) You as the owner would then be on the hook… and lawsuits would commence promptly.
This is a potential “worse case” in my mind. Of course because they have evidence of access direct from your system, they can then subpoena access to the whole system… where your whole library becomes available for them to search further for more copyright violations and now your in real deep shit to explain to the courts.
Now… if you’re in a country that doesn’t care! Cool… just stop recommending Jellyfin to those that would get fucked by this. Are there ways to mitigate this highly? Absolutely… fail2ban, anubis, cloudflare bot detection shit, changing paths or adding GUID to your media library path… all can probably fix this… But none of that is in the jellyfin docs… and NOBODY else seems to mention it except for me when this discussion comes up… So how many people are actually doing it?
Stolen is loaded… XBMC was open source. All the parts that rely on that are available for free.
Okay so they violated the GPL to produce their product, it started off on good terms and contributing back up stream but then they got greedy and decided to stop giving back, On top of that they also provide nothing upstream to FFMPEG or any other of the open source projects they benefited massively from… basically they are leeches of open source software… but you are technically correct [1] to say its not literally stealing.
[1] The best kind of correct
I just edited what I meant to originally send… Now I’m replying so you get flagged and can look at it. Sorry that I fat fingered the enter button and jacked up the thread. My bad.
Edit2: here we go
That makes sense, I appreciate you taking the time. Its certainly not a very big issue for me personally, and i do have other mitigations in place for more general attacks like fail2ban, but not everyone is in the same situation so its a valid concern to mention.
I do think you’re overestimating the risk, Studios are unlikely to go to such lengths when there are bigger, easier targets. Still, it’s not entirely negligible, even if the exploit seems fairly benign to me personally.
My thinking as a sysadmin is if someone has security concerns, they wouldnt be JUST with jellyfin in most cases, you’d be securing an entire server (or paying someone else to handle that part), so its issues to keep in mind sure, but the mitigation would be mainly outside of jellyfin specifically anyway, thus why its not really mentioned in jellyfin’s docs or considered a big concern by the devs.
So I’m not really disagreeing with anything you’ve said, but I you haven’t changed my mind either, I’m still going to recommend jellyfin over plex.
Don’t expose jellyfin to the internet and it won’t be hacked. But you are forced to make a Plex account, if you want to use Plex.
Don’t expose Jellyfin and you don’t have a competitor program that does what Plex does… stop recommending it as a replacement if it’s not a replacement. And this is ignoring that it’s recommended to expose to the internet on their own documents.
But you are forced to make a Plex account, if you want to use it.
You’ve missed the point. You can’t be mad at plex for taking action and closing security gaps after becoming aware of them… then in the same breath recommend a service that can’t even be on the internet because it’s so poorly secured.
You can use Jellyfin with wireguard and still have what Plex does. Unless you want to run an open streaming service (which would probably be illegal in most countries anyway).
90% of Plex users probably don’t need what Plex does and would be happy with Jellyfin.
You can use Jellyfin with wireguard and still have what Plex does.
Okay… Run wireguard on a roku TV or other many other common media devices. You can’t…
Unless you want to run an open streaming service (which would probably be illegal in most countries anyway).
You can use Plex and JF both without actually hosting illegal content. You should still be worried about devs who refuse to fix a basic security issue that they actively block from being merged.
90% of Plex users probably don’t need what Plex does and would be happy with Jellyfin.
probably… and 99% of users likely have no idea how to secure things properly on their own. Which makes this whole premise even more dangerous for the “typical” person.
Okay… Run wireguard on a roku TV or other many other common media devices. You can’t…
Sucks for you. Android TV boxes can, Linux Media PCs can. Weird. Almost like you’re pirating media and you can’t be asked for a bit more effort.
Sucks for LG tv people… and Samsung Tizen users… And all sort of other people too! But I guess you go out of your way to purchase hardware for everywhere that you go and want to watch TV then, eh?
I sure as shit am not dragging a whole Media PC setup to a hotel with me. Or to my in-laws house. Or my aunt’s… But they all have a roku.
Your answer is effectively throw money and support at it… which isn’t really a good answer. Especially the moment the user isn’t strictly “you”.
You can use Plex and JF both without actually hosting illegal content.
Where’s the fun in that? We’re on Lemmy. Cut loose a little.
Well… I mean… you can host your spank bank materials there. Fun is what you make of it.
This isn’t the first time they’ve been breached, there was an incident in 2015 and 2022 as well. From what I can gather its the same info being gathered each time.
There might be others but I can’t find th at the moment.
I think that’s a pretty good response. More details will probably emerge in the next few days that could change my mind, but for now that gives me a bit of confidence in their platform.
In comparison, a few years ago I was a patient at an IVF clinic in Sydney. I saw some absolutely bonkers security and repeatedly raised it with them. They wouldn’t hear it, and almost expectedly they were hacked and now my sperm count is public information. Their response was delayed and appalling. If my medical records were treated a severely as a streaming platform, I would have been happy.
So what’s your count, bro? Save me the trouble of looking it up myself and all.
I kid but the serious lack of security in medical isn’t just in Australia. I’m just a construction worker with an interest in networking and such but I see blatant violations nearly every job I’m on.
I checked, their sperm count is over 300 million, I’m pretty sure I got pregnant reading it.
I’ll add it to my linked in profile to warn potential coworkers.
I’m adding it to my KinkedIn
That’s a valid domain, btw.
True Alpha
Can someone finally realize we need to hash the emails too? I don’t really give a fuck about my passwords, I can change them and they have 2fa.
But changing my email? Pain in the ass and far more irritating to deal with.
Why would you need to change your email?
What does hashing an email address mean to you? Please be specific.
Then how would they email you?
Look at addy.io and similar.
Ideally, they wouldn’t
Decode like any other PII, so it is encrypted at rest and when stolen.
So not hashed, and readable through whatever API accesses it anyway.
Encryption and hashing are different things. You can’t get the original back out of a secure hash. They’re used only to confirm that whatever piece of data you have now matches the one that was provided originally, because they produce the same hash. You can’t store hashes for any data that you ever want to be able to read.
Yeah I want thinking when I wrote that. But the idea still stands encrypt the emails.
e-mail hasing is viable if you are only using your email for sign in and account recovery. Unfortunately it’s not happening because every service would also want to send you periodical emails about other stuffs.
Hope they did actually delete my data when I deleted my account, but I don’t think I use that password anywhere anymore anyway.
Anything of this nature announced over the next little while has like a 70% chance of being related to the huge Salesloft/Drift hack. The wording here makes me wonder if it’s also the cause for plex.
I used to have a Plex account but it has been many many years since i used it although i did use a stupid hard long password for it that i don’t use for anything else. I am not even sure if i remember that password to go change the pass and or delete the old account. I used to store all kinds of TV series but i quit collecting TV series and deleted all or most of that anyway. Was neat for awhile that it allowed pause resume and remembered what episodes and had the description and box art and play time and accessible on all my devices to stream over LAN. But i don’t need it. I can just open vlc or kodi on fire tv and i share a folder samba / smb and that works perfectly. I also quit watching tv years ago so i have no use for it. Storing all the information also took too much of my hard drive space when i don’t have a lot. Games became too huge and i need space for that and for other iso files for different operating systems.
“So I tied an onion to my belt, which was the style at the time”
Ok
-
admitted the issue immediately
-
reassured users as to actual scope of breach, probable risk
-
provided recommended actions for users who think they may be impacted.
-
explained best-practices (enough for a laymen’s audience) and how they limited scope and impact.
-
did not deflect blame
My god…I’ve got to hand it to plex. This is the perfect incident response letter. Love 'em or hate 'em, this is a good example for other CISOs.
Fully agree. There is no time and space to play the blame game, as it simply does not matter at this point. React swiftly and be transparent. You are free to invest months afterwards for investigations and followups
They didn’t provide any real timelines, unless I missed something. Trust me bro, we shut it down real fast.
I mean I don’t understand the accolades for literally just following the law.
You can follow the law and still screw up the response/announcement pretty badly, and so many do not even manage that much.
So yeah. It’s satisfying when someone acts both professionally and conscientiously in a situation like this.
Yeah, even if it is the law, companies do tend to fall short of adhering to said law. For example, a lab that does cancer screening got hacked and pretty much messed up their entire response.
-
