I am a huge Plex power user; watching something at least once a day.
Unfortunately, Plex is a bit of a mess these days - constantly pushing Live TV on us, requiring internet access to access local media (this is a killer whenever internet goes down), overly complex, clunky remote access (altho this is much better these days). But it still isn't bad enough to make me try and migrate. I love my local setup (Sonarr and a custom app for movies as Radarr is OTT for the amount of movies we watch) and Plex is very polished (compared to the alternatives) but I do wonder how much longer it will be around.
t0lo · 2h ago
Conversely I love the plex tv channels as an alternative to regular australian free to air- same as the lg channels.
Easy way for me to turn my brain off and find a good documentary/educational show at the end of the day
m4tthumphrey · 2h ago
I don't mind them doing it, but they shove it in my face constantly when I've clearly said I am not interested.
amatecha · 2h ago
Once I saw Plex required an account even to self-host, it was a no-go for me. Stuff like this is why. (among other reasons, like "why should I go through a 3rd party for something I'm 100% hosting on my own hardware/network")
I've been very happy with Jellyfin FWIW :)
nsbk · 2h ago
I switched to Jellyfin last year and never looked back. The only thing I find lacking is the Apple TV App, I tried Swiftfin but it stutters the whole time when playing high quality UHD content. I tried Infuse and it works much better
shellwizard · 2h ago
The big selling point of Plex vs jellyfin is that their app is in all of the major stores.Samsung smart TVs for example
untrimmed · 2h ago
I appreciate the transparency, but the phrase securely hashed always makes me a little nervous. It's a huge spectrum, right? We talking bcrypt/scrypt with a proper salt, or something from the old days?
jorams · 2h ago
When they got hacked three years ago the notice included this:
> Even though all account passwords that could have been accessed were hashed (with bcrypt plus salted and peppered) and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.
Whether that later changed for the worse is anyone's guess.
wiether · 2h ago
PSA: If you are the owner of your Plex server and follow the _Sign out connected devices after password change- as they suggest, your server claim will also be expired.
So you'll have to get a new claim from https://www.plex.tv/claim and set it on your server; through the PLEX_CLAIM env var if your setup involves Docker.
They talk vaguely about it under _Common Issues_ but it wasn't on the original email, so I lost 15 minutes of my day because of this...
cprecioso · 1h ago
Yep, this was a huge hassle for me, I didn't realize it would happen!
Another option is to do `ssh -L 32400:localhost:32400 <your-plex-address>` and connect to http://localhost:32400/web, it will let you claim the server as it detects the connection being local.
I made an account there to use my Home Assistant as a media server and it's already the second time they reported that they messed up something. I heard you can install VLC on the Apple TV and stream through that, so I'll definitely do that and skip these weird middle companies.
Tajnymag · 2h ago
Why not use Jellyfin then? It's basically an open source alternative to Plex. You run Jellyfin on your server and in Apple TV use Swiftin (Jellyfin + Swift) for integration.
dav43 · 2h ago
I just use infuse or vid hub app and an SMB share.
gbil · 3h ago
I can only comment that their communication on the incident is lacking, I've read about the incident yesterday and only today I received the relevant email. On top, it seems that all of a sudden I started getting marketing emails from them although I had unsubscribred in the past, coincidence?
spondyl · 2h ago
Thanks for the reminder. I went to reset my password when the email went out but when following the reset flow, I hit a Cloudflare page (due to the origin presumably having crashed) and got sidetracked
(Or at least related, this submission has the plex.tv website breach notification, not just the text of the email.)
tucnak · 38m ago
On a related note; if you're still considering whether you should put passwords, or rather, hashes thereof—in your application database of choice—please, decide against doing so at all costs! Instead, you should probably use a dedicated secret management deployment: think Hashicorp Vault[1], OpenBao[2], or Keto[3] if you'd like to go beyond with ReBAC (Relationship-based access control) of Google's Zanzibar[4] fame. The benefits of a HA deployment like this far outweigh the upstart integration costs as you get to use a single, shared frame of reference to reason about your internal and external resources alike. Customer passwords, passkeys, certificates, internal CA, ACME, at-rest, in-transit, what have you, is controlled from a single point of consumption with one policy space to rule them all. It helps to use dedicated HSM capability, too. In cloud environments, AWS Nitro enclaves exist now; you could put something like Vault inside one[5].
Vault is more or less Old Testament, though, so if you're serious about zero trust, Zanzibar paper is a must-read!
Relationships lend nicely to AI agent stuff, where RBAC is putting you at a disadvantage. It's hard to express both direct and indirect access patterns in RBAC. For example, whenever agents would act on your, or your user's behalf within a clearly-defined scope (sic!) This is where traditional RBAC breaks down, whilst ReBAC really shines for expressing relationships between user/agent/system identities, thus greatly simplifying checking, scoping, audit.
I use Emby, only because a few friends did and recommended it. I'd probably switch ti something more secure and/or open source given the right push.
crooked-v · 2h ago
From what I understand they're unrelated and the similarities come from convergent evolution.
ksynwa · 2h ago
Emby and Plex are separate projects. Jellyfin is a hard fork of Emby.
colordrops · 2h ago
Or better yet use Jellyfin.
hnlmorg · 2h ago
I’ve been considering switching to Jellyfin.
I’m getting increasingly frustrated at just how badly Plex behaves for home set ups. Which is the entire point of installing something like Plex.
Most annoying still, I’ve even paid for their premium products in the hope that it would make things behave better and it did not.
The only reason these security incidents happen is because Plex try to extort home users. There isn’t any other compelling reason to have your details on their database with credentials to active installs.
Sheeny96 · 28m ago
I run my Jellyfin on a Pi 5 8GB (with a bunch of other homelab stuff) and run an OSMC (Kodi + Jellyfin plugin) on a Pi 3b 2GB with absolutely no issue. OSMC automatically integrates with my TV remote, runs very low power and smooth. I never used any of the Plex stuff that wasn't my media, so I prefer it this way. Less bloat, more customisable.
Unfortunately, Plex is a bit of a mess these days - constantly pushing Live TV on us, requiring internet access to access local media (this is a killer whenever internet goes down), overly complex, clunky remote access (altho this is much better these days). But it still isn't bad enough to make me try and migrate. I love my local setup (Sonarr and a custom app for movies as Radarr is OTT for the amount of movies we watch) and Plex is very polished (compared to the alternatives) but I do wonder how much longer it will be around.
Easy way for me to turn my brain off and find a good documentary/educational show at the end of the day
I've been very happy with Jellyfin FWIW :)
> Even though all account passwords that could have been accessed were hashed (with bcrypt plus salted and peppered) and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.
Whether that later changed for the worse is anyone's guess.
So you'll have to get a new claim from https://www.plex.tv/claim and set it on your server; through the PLEX_CLAIM env var if your setup involves Docker.
They talk vaguely about it under _Common Issues_ but it wasn't on the original email, so I lost 15 minutes of my day because of this...
Another option is to do `ssh -L 32400:localhost:32400 <your-plex-address>` and connect to http://localhost:32400/web, it will let you claim the server as it detects the connection being local.
https://news.ycombinator.com/item?id=45174684
(Or at least related, this submission has the plex.tv website breach notification, not just the text of the email.)
Vault is more or less Old Testament, though, so if you're serious about zero trust, Zanzibar paper is a must-read!
Relationships lend nicely to AI agent stuff, where RBAC is putting you at a disadvantage. It's hard to express both direct and indirect access patterns in RBAC. For example, whenever agents would act on your, or your user's behalf within a clearly-defined scope (sic!) This is where traditional RBAC breaks down, whilst ReBAC really shines for expressing relationships between user/agent/system identities, thus greatly simplifying checking, scoping, audit.
[1]: https://developer.hashicorp.com/vault
[2]: https://openbao.org/
[3]: https://www.ory.sh/keto
[4]: https://research.google/pubs/zanzibar-googles-consistent-glo...
[5]: https://edgebit.io/enclaver/docs/0.x/guide-vault/
I use Emby, only because a few friends did and recommended it. I'd probably switch ti something more secure and/or open source given the right push.
I’m getting increasingly frustrated at just how badly Plex behaves for home set ups. Which is the entire point of installing something like Plex.
Most annoying still, I’ve even paid for their premium products in the hope that it would make things behave better and it did not.
The only reason these security incidents happen is because Plex try to extort home users. There isn’t any other compelling reason to have your details on their database with credentials to active installs.