- Once I saw Plex required an account even to self-host, it was a no-go for me. Stuff like this is why. (among other reasons, like "why should I go through a 3rd party for something I'm 100% hosting on my own hardware/network")
I've been very happy with Jellyfin FWIW :)
by m4tthumphrey
3 subcomments
- I am a huge Plex power user; watching something at least once a day.
Unfortunately, Plex is a bit of a mess these days - constantly pushing Live TV on us, requiring internet access to access local media (this is a killer whenever internet goes down), overly complex, clunky remote access (altho this is much better these days). But it still isn't bad enough to make me try and migrate. I love my local setup (Sonarr and a custom app for movies as Radarr is OTT for the amount of movies we watch) and Plex is very polished (compared to the alternatives) but I do wonder how much longer it will be around.
- PSA: If you are the owner of your Plex server and follow the _Sign out connected devices after password change- as they suggest, your server claim will also be expired.
So you'll have to get a new claim from https://www.plex.tv/claim and set it on your server; through the PLEX_CLAIM env var if your setup involves Docker.
They talk vaguely about it under _Common Issues_ but it wasn't on the original email, so I lost 15 minutes of my day because of this...
by untrimmed
1 subcomments
- I appreciate the transparency, but the phrase securely hashed always makes me a little nervous. It's a huge spectrum, right? We talking bcrypt/scrypt with a proper salt, or something from the old days?
- I can only comment that their communication on the incident is lacking, I've read about the incident yesterday and only today I received the relevant email. On top, it seems that all of a sudden I started getting marketing emails from them although I had unsubscribred in the past, coincidence?
by rockbruno
2 subcomments
- I made an account there to use my Home Assistant as a media server and it's already the second time they reported that they messed up something. I heard you can install VLC on the Apple TV and stream through that, so I'll definitely do that and skip these weird middle companies.
by 8cvor6j844qw_d6
0 subcomment
- Anyone remember a few years back there was a major Lastpass data breach?
I roughly recall Plex is somewhat involved in the compromise. One of the Lastpass employees compromised via Plex that leads to Lastpass data breach if I'm not mistaken.
- Dupe?
https://news.ycombinator.com/item?id=45174684
(Or at least related, this submission has the plex.tv website breach notification, not just the text of the email.)
by joecool1029
0 subcomment
- Maybe related to last month's serious vuln: https://app.opencve.io/cve/CVE-2025-34158
- Thanks for the reminder. I went to reset my password when the email went out but when following the reset flow, I hit a Cloudflare page (due to the origin presumably having crashed) and got sidetracked
- On a related note; if you're still considering whether you should put passwords, or rather, hashes thereof—in your application database of choice—please, decide against doing so at all costs! Instead, you should probably use a dedicated secret management deployment: think Hashicorp Vault[1], OpenBao[2], or Keto[3] if you'd like to go beyond with ReBAC (Relationship-based access control) of Google's Zanzibar[4] fame. The benefits of a HA deployment like this far outweigh the upstart integration costs as you get to use a single, shared frame of reference to reason about your internal and external resources alike. Customer passwords, passkeys, certificates, internal CA, ACME, at-rest, in-transit, what have you, is controlled from a single point of consumption with one policy space to rule them all. It helps to use dedicated HSM capability, too. In cloud environments, AWS Nitro enclaves exist now; you could put something like Vault inside one[5].
Vault is more or less Old Testament, though, so if you're serious about zero trust, Zanzibar paper is a must-read!
Relationships lend nicely to AI agent stuff, where RBAC is putting you at a disadvantage. It's hard to express both direct and indirect access patterns in RBAC. For example, whenever agents would act on your, or your user's behalf within a clearly-defined scope (sic!) This is where traditional RBAC breaks down, whilst ReBAC really shines for expressing relationships between user/agent/system identities, thus greatly simplifying checking, scoping, audit.
[1]: https://developer.hashicorp.com/vault
[2]: https://openbao.org/
[3]: https://www.ory.sh/keto
[4]: https://research.google/pubs/zanzibar-googles-consistent-glo...
[5]: https://edgebit.io/enclaver/docs/0.x/guide-vault/
by cranberryturkey
2 subcomments
- use zymotv instead of plex or emby
Hacker News