Skip to content
Data breachContained

Leak at Plex

On 9 September 2025, media-streaming software company Plex disclosed that an unauthorized third party had accessed one of its databases, exposing user emails, usernames, securely hashed passwords and authentication data, and forcing an account-wide password reset.

Victim
Plex

On 9 September 2025, Plex β€” the company behind the widely used Plex media-streaming and home-server software β€” notified users that an unauthorized third party had accessed a limited subset of customer data from one of its databases. The company urged all password-based accounts to reset their credentials immediately.

According to Plex, the intruder reached account records before access was identified and cut off. Plex said it had located and addressed the method used by the attacker, and described the affected data as a limited subset of one database. No payment card information was involved, as Plex does not store card data on the affected systems.

The exposed data categories included:

  • Email addresses
  • Usernames
  • Passwords (described as securely hashed in line with best practices)
  • Authentication data

Because Plex did not disclose which hashing algorithm protected the passwords, researchers cautioned that determined attackers could still attempt to crack them. Plex directed users to reset their passwords at plex.tv/reset, to enable the option to sign out connected devices after the change, and strongly encouraged enabling two-factor authentication. The incident was the second breach of similar account data Plex had disclosed, after a comparable 2022 exposure of emails, usernames and hashed passwords.

Sources

  1. techcrunch.comhttps://techcrunch.com/2025/09/09/plex-urges-users-to-change-passwords-after-data-breach/
  2. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/plex-tells-users-to-reset-passwords-after-new-data-breach/
  3. theregister.comhttps://www.theregister.com/2025/09/09/plex_breach/
  4. helpnetsecurity.comhttps://www.helpnetsecurity.com/2025/09/09/plex-tells-users-to-change-passwords-due-to-data-breach-pushes-server-owners-to-upgrade/

Related incidents

Data breachUnknown

Leak at Europages

On 28 December 2025, a database of 205,403 B2B prospects from European business directory Europages was reported leaked, exposing contact and company-registration details (names, job titles, employers, postal and email addresses, phone numbers, SIRET and VAT identifiers).

Victim
Europages
Records
205.4K
Data breachContained

Leak at HelloWork

In late December 2025, French recruitment platform HelloWork disclosed that data on roughly 2.8 million jobseekers β€” names, emails and professional-profile details β€” was scraped from its CV library via a fraudulently used recruiter account and offered for sale online.

Victim
HelloWork
Records
2.8M
Data breachContained

Data leak at SoundCloud

In December 2025, music-streaming platform SoundCloud disclosed a breach in which an attacker abused an internal system to map roughly 29.8 million private email addresses to public profile data β€” about 20% of its users; no passwords or payment data were taken.

Victim
SoundCloud
Records
29.8M
Data breachUnknown

Leak at Oui Heberg

On 10 November 2025, French web-hosting and VPS provider OuiHeberg was reported to have leaked customer contact records β€” names, email addresses, phone numbers and postal addresses β€” following a security incident affecting its infrastructure.

Victim
Oui Heberg