Plex is starting to enforce its new rules, which prevent users from remotely accessing a personal media server without a subscription fee.

Previously, people outside of a server owner’s network could access the owner’s media library through Plex for free. Under the new rules announced in March, a server owner needs to have a Plex Pass subscription, which starts at $7 per month, to grant users remote access to their server. Alternatively, someone can remotely access another person’s Plex server by buying their own Plex Pass or a Remote Watch Pass, which is a subscription with fewer features than a Plex Pass and that Plex started selling in April for a $2/month starting price.

Plex’s new rules took effect on April 29. According to a recent Plex forums post by a Plex employee that How-To Geek spotted today, the changes are rolling out this week, with a subscription being required for people using Plex’s Roku OS app for remote access. The Plex employee added:

Read full article

Comments

© Plex

Last week on Malwarebytes Labs:

• AI browsers or agentic browsers: a look at the future of web surfing
• From Fitbit to financial despair: How one woman lost her life savings and more to a scammer
• Meta ignored child sex abuse in VR, say whistleblowers
• When AI chatbots leak and how it happens
• Fake Bureau of Motor Vehicles texts are after your personal and banking details
• ‘Astronaut-in-distress’ romance scammer steals money from elderly woman
• Ransomware attack at blood center: Org tells users their data’s been stolen
• Pre-approved GLP-1 prescription scam could be bad for your health
• Plex users: Reset your password!
• Popeyes, Tim Hortons, Burger King platforms have “catastrophic” vulnerabilities, say hackers
• Google misled users about their privacy and now owes them $425m, says court
• This “insidious” police tech claims to predict crime (Lock and Code S06E18)
• iCloud Calendar infrastructure abused in PayPal phishing campaign

Stay safe!

---

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Media streaming platform Plex has warned customers about a data breach, advising them to reset their password.

Plex said an attacker broke into one of its databases, allowing them to access a “limited subset” of customer data. This included email addresses, usernames, hashed passwords, and authentication data.

“Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account… Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.”

Hashing is a way to protect users’ passwords by transforming them into a scrambled and unreadable format before storing them. Think of it like turning a password into a unique “fingerprint” made of random letters and numbers that doesn’t resemble the original password. This scrambled form is called a hash, and it is created using a special mathematical process called a hash function.

The main point about hashing is that it is a one-way process: once a password is hashed, it cannot be reversed or decrypted back into the original password. When you log in, the system hashes the password you enter and compares that to the stored hash. If they match, you get access. This means companies never store your real, plain text password, which helps keep your credentials safe even if their database is hacked.

The downside is that some systems are vulnerable to pass-the-hash attacks where an attacker can sign in by only knowing the hash. But those are mainly a concern in Windows network environments.

In the case of the Plex breach, pass-the-hash attacks are less of a worry for regular users. Plex uses hashed passwords mainly for user login access to its streaming platform, not for network-level authentication. Plex doesn’t directly enable attackers to authenticate anywhere else without cracking those hashes first.

However, as a precaution, Plex users should still follow the instructions from the company, below.

What Plex asks users to do

If you normally log in using a password: Reset your Plex account password immediately by visiting https://plex.tv/reset. During the reset process you’ll see a checkbox to “Sign out connected devices after password change,” which the company recommends you enable. This will sign you out of all your devices (including any Plex Media Server you own). After the reset you’ll need to sign back in with your new password.

If you normally log in using Single Sign-On: Log out of all active sessions by visiting http://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.

For further account protection, we also recommend enabling two-factor authentication 2FA on your Plex account if you haven’t already done so.

Look out for any phishing attempts that may try to prey on this incident. Plex has said that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A 20-year-old Florida man at the center of a prolific cybercrime group known as “Scattered Spider” was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims.

Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban conspired with others to steal at least $800,000 from five victims via SIM-swapping attacks that diverted their mobile phone calls and text messages to devices controlled by Urban and his co-conspirators.

Although prosecutors had asked for Urban to serve eight years, Jacksonville news outlet News4Jax.com reports the federal judge in the case today opted to sentence Urban to 120 months in federal prison, ordering him to pay $13 million in restitution and undergo three years of supervised release after his sentence is completed.

In November 2024 Urban was charged by federal prosecutors in Los Angeles as one of five members of Scattered Spider (a.k.a. “Oktapus,” “Scatter Swine” and “UNC3944”), which specialized in SMS and voice phishing attacks that tricked employees at victim companies into entering their credentials and one-time passcodes at phishing websites. Urban pleaded guilty to one count of conspiracy to commit wire fraud in the California case, and the $13 million in restitution is intended to cover victims from both cases.

The targeted SMS scams spanned several months during the summer of 2022, asking employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other missives advised employees about changes to their upcoming work schedule.

That phishing spree netted Urban and others access to more than 130 companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. The government says the group used that access to steal proprietary company data and customer information, and that members also phished people to steal millions of dollars worth of cryptocurrency.

For many years, Urban’s online hacker aliases “King Bob” and “Sosa” were fixtures of the Com, a mostly Telegram and Discord-based community of English-speaking cybercriminals wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering. King Bob constantly bragged on the Com about stealing unreleased rap music recordings from popular artists, presumably through SIM-swapping attacks. Many of those purloined tracks or “grails” he later sold or gave away on forums.

Sosa also was active in a particularly destructive group of accomplished criminal SIM-swappers known as “Star Fraud.” Cyberscoop’s AJ Vicens reported in 2023 that individuals within Star Fraud were likely involved in the high-profile Caesars Entertainment and MGM Resorts extortion attacks that same year.

The Star Fraud SIM-swapping group gained the ability to temporarily move targeted mobile numbers to devices they controlled by constantly phishing employees of the major mobile providers. In February 2023, KrebsOnSecurity published data taken from the Telegram channels for Star Fraud and two other SIM-swapping groups showing these crooks focused on SIM-swapping T-Mobile customers, and that they collectively claimed internal access to T-Mobile on 100 separate occasions over a 7-month period in 2022.

Reached via one of his King Bob accounts on Twitter/X, Urban called the sentence unjust, and said the judge in his case discounted his age as a factor.

“The judge purposefully ignored my age as a factor because of the fact another Scattered Spider member hacked him personally during the course of my case,” Urban said in reply to questions, noting that he was sending the messages from a Florida county jail. “He should have been removed as a judge much earlier on. But staying in county jail is torture.”

A court transcript (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. It involved an intrusion into a magistrate judge’s email account, where a copy of Urban’s sealed indictment was stolen. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case.

“What it ultimately turned into a was a big faux pas,” Judge Harvey E. Schlesinger said. “The Court’s password…business is handled by an outside contractor. And somebody called the outside contractor representing Judge Toomey saying, ‘I need a password change.’ And they gave out the password change. That’s how whoever was making the phone call got into the court.”