Updated July 6th, 2015: After thorough investigation by a team of forensic specialists, we’ve identified the source of the compromise to the forums server. As we had suspected, the attackers gained entry via exploiting bugs in the forums software, some of which may not be well understood or publicly disclosed, or have patches readily available. The investigation did not turn up any other compromised systems.
We’re continuing to investigate, but as you can imagine, it wouldn’t be wise to bring the forums back to life before being comfortable that we’re not vulnerable to the same attack. As such, we’re exploring all options, including migrating to new forums software.
We’re committed to bringing back the forums as soon as humanly possible. We worked tirelessly over the holiday weekend, and will continue to work until the forums are back. We appreciate your continued patience, and apologize for this inconvenience.
Normally we’re super excited to hit the big green “Post” button on a fresh blog post, since it usually means we’re announcing something new and exciting. Unfortunately, the Internet can be a pretty rough place, posts like these are sometimes necessary, and we think it’s super important to share what we know to help keep you all safe.
At approximately 1pm PDT yesterday (July 1st) we learned that the server which hosts our forums and blog was compromised. The attacker was able to gain access to some personal information, such as IP addresses, forum private messages, email addresses, and encrypted (hashed and salted) passwords for our forum users. As a precaution, we reset the plex.tv passwords of all users with linked forum accounts and reached out via email with further instructions for those affected. At this time, our forums remain offline while we complete our investigation. All other systems are online and operational.
We have no reason to believe that any other parts of our system were compromised, and we never store credit card or other payment data on our systems.
It’s worth taking a moment to remind everyone that it’s super important to choose strong passwords, never share them, and never re-use them on different sites. Even better, consider using a password manager like 1Password or LastPass to create unique, strong passwords for all the sites and services you visit.
We’re very sorry for the inconvenience this has caused many of you. We’ll update this post with more information and status as soon as it’s available.
Here are some common issues which we’re seeing in the comments:
After changing my password, my account keeps getting locked: The most likely reason we’ve seen for this is if you’re running “plexWatch” or some other third party app. Either disable the app, or update the password in its settings.
After changing my password, I can’t access my server (remotely): If you reset all your devices as well, you’ll need to log into the server again, which is not the same as logging into plex.tv. You’ll need to access your server locally to sign in again. Read these support articles for help. If you’re not local to the server, read the last section in this article.
After changing my password, I seem to have issues matching, getting posters, etc.
Make sure your channels are up to date, as we pushed a minor fix due to the downed server. If you’re still having issues, restarting your server should resolve them.
UPDATE (7/2/2015): Added a FAQ section.
UPDATE (7/6/2015): Added updated information.
We’re incredibly excited to let you know that we’re teaming up with DigiCert to provide all of you with high quality SSL certificates for your media servers, at no cost to you. Your media server will now be able to communicate securely with top-grade encryption. This may not sound like a big deal, but we’re not exaggerating when we say that this will be one of the largest implementations of publicly trusted certificates, ever.
When we first started our little operation so many years ago, the Internet was a much kinder and gentler place. Ah, the halcyon days before NSA wiretapping, ISP traffic shaping, POODLE, Heartbleed, and LaBRADooDLE.
Okay, I made that last one up, but it’s only a matter of time.
Needless to say, times have changed. In today’s Internet security climate, it’s a laughable offense if every packet leaving and entering your network is not encrypted, its recipient verified. The security community has rallied to create some truly amazing technology to enable this for traditional web sites. In a nutshell, your browser and your bank’s website work their asses off under the hood to render that coveted “green lock” which assures you that yes, the form that you’re typing your account number and password into is actually your bank’s and not, in fact, being served up by a golden retriever.
This is tricky enough when trying to secure a single web server, but for a system like Plex, comprised of a bazillion servers talking with clients running on every platform under the sun, it’s another matter entirely.
(At which point, the peanut gallery yells “Just add an S to wherever you were using HTTP. Duh.”)
Oh, if only it were that easy…
Let’s look at some of the complexities: For starters, secure communication requires something called a certificate, which securely identifies a website. Now anyone can make a (self-signed) certificate, but it can be tedious to install, and for a browser to trust it and give it that elusive green lock, it has to have been signed by a trusted authority. It’s a pretty laughable security experience if the browser warns you that your server isn’t trusted! We knew from the start that we needed real, official certificates, and there are a few problems with that. For starters, they’re expensive, especially when multiplied by a bazillion. And we knew we wanted to give a secure experience to everyone, not just our Plex Pass users. And that’s why we hooked up with the amazing team at DigiCert, and they were all “you want an ungodly amount of certs? We can do that!” So yeah, we’re buying you all DigiCert certificates for your media servers. Because we love you, and because your security and privacy is really important to us.
Secondly, as mentioned before, we’re on a lot of platforms, and there are lots of nuances to secure communication. For example, did you know that Internet Explorer requires Diffie-Hellman primes to be larger than 512 bits? Did you know that certain models of LG TVs ship with a specific set of root certificates which is missing some common ones you might expect? Frankly, I hope you have no clue what I’m talking about here, because it gave us some major headaches along the way, but if you’re nodding your head as you reach for your small-batch home brew IPA, send us a resume. No, really.
Next is the server itself, which doesn’t just have to support HTTPS, it has to do so avoiding many pitfalls, crocodiles, and whatever else was in that awesome game. Thankfully there are tools to help with that, and they even give you a grade. Let’s just say the Plex Media Server is an overachiever! Its parents are so proud.
Last of all, the media server can be accessed both remotely and on a LAN. At any given time, it may be accessible via multiple addresses. Certificates are generally associated with a small set of unchanging IP addresses. So we’ve worked some DNS magic to remove that limitation, and make things Just Work.
So what does it look like? Well, it might be a bit anticlimactic, because everything just works as it did before. Well, except for the BEAUTIFUL GREEN LOCK AND SECURE CONNECTION!
So what do you have to do? Well, update to the latest release (v0.9.12.3), and make sure you’re signed in. Also, check out our support article on the topic. We’ve silently pushed support for secure connections to Android, Roku (Preview app), the web app, Windows, and Plex Home Theater. (Gaming consoles and Smart TVs coming soon, and iOS is wrapping up a major release which includes full support for secure connections.)
Since all servers won’t update at the same time, we make it clear with a green lock which servers are secure. If you’re connecting to a friend’s server which isn’t, encourage them to upgrade. Cajole them with free alcohol. Or a cronut.
This release brought to you by upside-down Barkley. Who wants to give him a belly rub?