We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
What happened
An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.
What we’re doing
We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.
What you must do
If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.
Additional Security Measures You Can Take
We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.
Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.
For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset
You must log in or # to comment.
I’m sure Plex has some great engineers, and Plex’s infrastructure is far more hardened and secure and reliable than my Jellyfin server.
But they are a way way more likely target, and Jellyfin still performs far better and doesn’t try to sell shit to my family members.
Plex is riskier just by having a cloud things phone home to. One target to hit that can affect multiple users.
Depending on your use case, jellyfin may actually be more secure.
Jellyfin advertisement 🤷♂️
Stuff like this can happen to any app, developers are only human, shit happens. A bigger company is a bigger target for hackers, so there is some saftey in an open source app that’s not as popular, but then again a bigger company also has more resources to monitor for security breaches and quickly address them and push out a hot fix, can’t say I know how this works for free open source apps
I enjoy using Jellyfin and hope it continues to improve, but it has some problematic security of its own.
But if you just run it locally an a media server in your home, and you don’t expose the service to the internet, that doesn’t really matter? Though perhaps more people connect to their Jellyfin instances remotely than I realize.
It matters if someone manages to hide an exploit in jellyfin’s codebase, or more likely, a popular plugin. I imagine many folk have permissive outgoing firewall rules, in which case, an exploit could establish connectivity. Whether that eventually leads to privilege escalation on the jellyfin host would depend upon other variables.
edit: I should add that I’ve not used jellyfin and am unfamiliar with how plugins are implemented. I don’t want to speak out of turn, only to suggest, in the abstract, that just because software isn’t exposed to the net, doesn’t mean it cannot harbor exploits that could become problematic. Plugins just seem to be a common vector for such types of software.
Well. If you’re not streaming why have such a service in the first place? If I didn’t stream remotely with Plex (and share with my friends and family) I’d just go back to running Kodi on my htpc like I did ten years ago.
Just installed that yesterday lol
🍮🇫🇮
I harbor a strong dislike for the profiteers at Plex but their security incident response is textbook correct. Good job security dudes! The rest of your stupid company should listen to you more often.
It shows how low the bar is, that just bare bones complying with GDPR notification requirements so as not to risk a €20M fine, is enough to make people talk about how good a job you did.
As I slide the needle from “strongly dislike” to “not a fan”.
Good on em
I hate the tone companies always use with this
Some evil guys did something to us, it happened to us, and there was nothing we could have done to prevent it, but we were so quick to respond and stop it!
Aka, you fucked up with your security. Could you just once admit that?
I’m no lawyer, but wouldn’t that basically open them up to an instant win for anyone who files lawsuits against them?
I’m sure it does, but had they done their security right it likely wouldn’t have happened.
Yeah, 100% secure doesn’t exist but at the same time it’s always closed source companies like these that turn out to have horrible software security. Can’t say for sure of course, but at this point it’s a safe bet
Yes and no. hacking isn’t new. Everyone could get sued technically for security breaches for not taking enough interest in their own security.
But then it’s ridiculous if you could sue your own grandma cuz you once used her computer to print your resume and because she uses default passwords now someone has all your info you had from anything you left behind.
Ransom and hacking is pretty common unfortunately in the industry. And it is in part on the user to also take practices to protect themselves if they haven’t enabled 2F yet. And there’s way more you can do where you make email masks now and simply do not fill in with your accurate information like don’t use your real name.and use a VPN. Store stuff on ext drives and less on clouds that don’t use e2e encryption
I don’t know if it’s perfect but as a user just always have it back in your mind that your information can be obtained(if you ever used a web service to check your info on the dark web, this is pretty much going to be a given) . And it probably has. So maybe at least you can try to control what gets obtained.
In some ways 2fa is a weak spot even disregarding recovery processes being open to social engineering, now you’re giving a verified identifier uniquely tied to you
I generate unique email addresses and passwords for every account but can’t realistically do that with phone numbers
2fa by sms or voice isn’t especially secure anyway since you’re open to sim attacks and social engineering. I have a lot more hope for Passkeys but don’t really trust the practical advice arts of managing them yet
…second phone number…
Anyways… we are digressing here,
at this point it’s a lot like protecting anything in life: prevention and making yourself less tasty to a psycho.
If you’ve set it even two step You’re already doing way more than any user they are probably intending this warning to do more to protect themselves who set their password to “password” or phrases haven’t changed it in decades and would even prefer to publicly post their passwords on social willing to give up their entire savings rather than having to do anything further as if technology is too beyond and suddenly so super complex that they have to use different keys on their keyboard other than letters.
You don’t have to apply every threat like it’s calculus in a situation where there are people who are scared of even doing basic sums.
This situation was hashtags. And all they are asking is to rehash it. And here you are already disposing of the 2nd feature after that.
…second phone number…
Of course but it doesn’t scale. I’m currently up to 182 unique generated email addresses to help keep my online accounts a little more secure. But they all go through one or two phone numbers, leaving me more open to sim attacks, social engineering and data aggregation
Depends on how good the lawyers were that wrote the thing you said you read when signing up.
No one is safe from hackers. Everyone and every company will get hacked, it’s unavailable. What matters is how they react to the inevitable because that’s how best practices are made.
Eh, sorry, no.
Yeah, it is extremely hard to make something impenetrable, but claiming blanket everyone will be hacked is nonsense too.
If a company does IT well it will very unlikely fall victim as they’ll be a very hard target and not worth the time and money.
When a company comes out with that they’ve been hacked you can bet dollars to donuts that they’ve neglected their IT department and infrastructure because the very vast majority of cases have shown that problem
It was securedly hashed! We used ROT13! Twice! We’re fucking professionals!
Hah! Amateurs… I XOR all my passwords twice like real hackers do.
Man. My decision to go with Jellyfin just keeps paying off more and more
No doubt. Why do you need an account on their servers to use a server on your own hardware? So dumb.
The second I saw that I immediately looked for alternatives and abandoned plans to have my own Plex server. I knew it would enshittify fast when they can lock you out of your own server
fuck plex for plenty of other reasons, but you can disable authentication on your local network.
Just a matter of time until they remove that
For me… my server software is running. But the account doesn’t see it. And as such I can’t claim my server to get it back up and running.
Fun times. Glad I changed my password. :/
Good luck getting a similar reaction to the myriad of security issues Jellyfin has
Yeah, but you can run jellyfin with local accounts, entirely within a VPN. Pretty much makes most security issues irrelevant.
Which is the exact mindset that enables Jellyfin devs to not fix those issues, congratulations
Maybe? Like, I’d very much prefer they fix them, even though they do not impact my use case.
I don’t mean to come across as confrontational, but, maybe stop defending it then? You can keep using and liking the software while still holding the devs accountable for what is basic modern web security.
If all the Jellyfin users I saw acknowledging the issues actually stopped acting like it was a non issue, maybe the Jellyfin devs would do something about it.
On the one hand, maybe. On the other hand, the point here was more that the centralised design of Plex that necessitates an online account which might hold some private data makes such issues much worse, not that jellyfin’s issued should not be fixed.
My comment, that you answered first to, was about the way the Jellyfin devs would not react the same way to a security incidence, since they do not care about it (or at least don’t see it as important).
Also, the decentralized nature of Jellyfin does not mitigate such attacks, since you don’t need the users credentials to begin with
Y hope you know how to harden jellyfinn, because they are not better than plex team…
Jellyfin dev team is not in charge of your self hosted security though. You know what you are getting, source code available, and it’s up to you setting the security.
But they are responsible for the unsecured / gruyere cheese product they ship.
Jellyfinn has a lot of holes and it is easy to deploy it in a insecure way by not techie people. Last time I checked they even didn’t have a recommended practices for hardening it
Not techie people are not going to be able to open it for internet access. If you have the knowledge to set a internet available service you should have the knowledge to be able to provide basic security.
Most security issues with jellyfin are an issue only for a specific type of user. The one who is selling access to their server. The worst Jellyfin security issue makes selling access to your server a higher risk situation.
I hope someday those issues would get patched, but I get why there are other priorities for the dev team right now, about issues that bother to a bigger majority of jellyfin users.
Well, when I was talking about not techie people I didn’t mean technology analphabets, everybody can open a port in your consumer router with the help of chatgpt, not everybodies is able to realizes they need a reverse proxy with tls and modify the headers for the Auth…
Being secure in internet is like the herd inmunity for corona times, your system could be fairly secure, but if you are hammered with several bot nets it is going to be a challenge, and there is responsabiity is shipping a product that is easy to be infected.
And your third paragraph really confirms why this post is necessary
Have to point a dns to the ip, buy a domain, stablish ddns. I don’t see it happening often. If you know all that you are ought to know about getting hitm
Bot hits are not a problem for jellyfin. The main problem right now is unauthorized access to endpoints for people who know the hash that is being used in that endpoint.
It’s a targeted attack that hampers availability of the services (making it more available than it should be). It doesn’t make internet more insecure or anything.
As I said previously I haven’t actually known of any of these attacks happening on the wild. As they are kinda hard of pull of. You need to know the precisely hash used for the endpoint, the most normal way of knowing that without being an authorized user is because you used to be an authorized user and you are not anymore. That’s weird in jellyfin current ecosystem. People say that the hash could be calculated by a complete outsider, but I have never seen anyone pulling it off on the wild. You need to know a lot of things about the service you are attacking to be able to do it.
So, yes is a security vulnerability, all software have those. But I think it gets blown out of proportion often.
Every year Jellyfin improves and Plex further enshittifies. You’re fighting against the tide here.
???
This is not about enshitification. The best user friendly app can be a security nightmare and an utterly crap can be rock solid.
It is not about that, not even development models or just rock star programmers.
It is about who has a performing security team and who doesn’t.
None of Jellyfin’s security issues affect me.
All of Plex’s shit does.
If they don’t have a team, they don’t regularly look, if they dont look, they don’t report, if they don’t report your analysis maybe biased because you can only check about what you know…
I hope you can see my point
jellyfin is goated. Long live jellyfin!
I think you mean Plex got hacked AGAIN
lol
Glad I never gave Plex any payment details, don’t reuse passwords, and don’t plan on using it any more so I can just ignore this
I bought a lifetime subscription years ago, and even if the payment method got decrypted, it’s well expired. Not to mention I haven’t had a Plex server running for ages.
Yep same here, I already got a brand new credit card with a brand new number because my renewal got stuck in a postal strike lmao
I guess I’m going to find out if they really deleted my user data when I asked them to
Narrator: Jesus fuck, I have to say the line again?
Wellllll, we’re all waiting
So far I haven’t gotten any email from them. I’ll try to login later with my old username and password.
EDIT: Tried and they said username or password is incorrect. Since I’m using a password manager I’m confident those were what I used so maybe they really did delete it.
Accounts can be deactivated without being deleted.
I’m not a security expert, but password hashing is mostly to slow down someone from getting all the passwords. You can’t reverse the hash, but you can generate hashes until you find a match. When hashing, you can dial in how much compute it would take someone to try and solve all the hashes in your database. If you used a good password, it will be more difficult to solve your hashed password. But it’s best to change your password as Plex suggests.
So it depends on how secure a password is and how strong of hashing Plex used when storing the hashed passwords. I have no idea if this is like a “this will take a year” or “this will take a billion years” to solve all the hashes. More compute also means you can solve the hashes faster. Maybe someone with a security background could chime in.
You can’t reverse the hash, but you can generate hashes until you find a match.
That’s called a rainbow table attack, and that’s why you should salt your hash. This salt basically appends a unique string of characters to every password before it goes into the hash. Let’s say your users are dumb and use “password” for their password. If a hacker has pre-generated a rainbow table, (which is extremely time and resource intensive), then they’ll instantly crack that as soon as they get a match on those common passwords. Even if they haven’t generated a rainbow table, they can just look for identical hashes and guess that those users are using common passwords.
But if you salt it, it’ll slow the hackers down drastically by invalidating their pre-generated table. Each user has their own salt stored alongside the username and hash, so User 1’s hash actually saw “password19,jJ03pa5/-@“ while user 2’s hash saw “passwords)205JrGp02?@-“. Because each of their salts are unique, their resulting hashes are unique too. Even though they used the same password. Now the hackers need to crack the hash for each user, by incorporating the existing salts for each user. They’ll start with the weak and common passwords first, which is why it’s still best practice to use strong passwords. But they can’t actually start the rainbow table process until after they have hacked the info, and they’ll need to create fresh tables for every single user.
Best explanation of salt I’ve ever seen. Thanks!
NaCl
So is this user specific salt word stored in a table somewhere, how does the company decrypt a salted password otherwise, and so if the salt is also stored somewhere alongside the encrypted password, couldn’t the hacker get his hands on both the salt and the password and use that to figure out the password?
the salt does not need to be encrypted. the point of it is that it makes a generic rainbow table useless, because the crackers need to compute hashes themselves for all passwords.
as they said, the purpose of hashing is to slow down the crackers, because they need to find the string that produces that hash. a rainbow table cancels that, it makes password lookup for an account almost instantaneous. but a rainbow table is only really useful for unsalted hashes, because for salted hashes a different rainbow table is needed that takes the salt into account.
Yes, the salt is stored right alongside the username and hashed password. The point of the salt isn’t to be unknown; It’s to make every single password unique before it gets hashed, which invalidates the hackers’ pre-generated rainbow tables. It forces them to re-generate their table for each user. Even identical passwords will create different hashes, because the salt is different for each user. Essentially requiring the hacker to brute force every single password, even after they have the database downloaded.
Basically, the hash algorithms are known. There are a few common ones, but they’re all reliable. A rainbow table is generated by running potential passwords through each hash, and saving the results. For a simplified example: maybe for a certain hashing algorithm, “password” generates the hash “12345”. I have a pre-generated table with millions of potential passwords that tells me as much. And I have repeated this for all of the most popular hashes. This gigantic database (literally hundreds of GB in size) of millions of potential passwords and resulting hashes for the most popular algorithms is my rainbow table. This took hours of cooking my CPU to generate.
So I hack an unsalted password database, and find a bunch of hashes that are listed as “12345”. I can now guess that they’re probably using that specific hash algorithm, and can immediately crack a bunch of passwords purely because I have already brute-forced them before I hacked anything. I can also crack the rest of the passwords much faster, because I’m only needing to brute force the one algorithm I know they used, instead of being forced to hash with all of them.
But now let’s say it’s a salted hash instead. When I hack the database, my pre-generated rainbow tables are useless. Because now “password” is not being hashed as “12345”. It’s being hashed as something entirely different, because the salt is added before it gets hashed. Even if multiple users use “password”, it still doesn’t help me because each of their salts is unique. So even if two different users use “password”, they’ll each return different hashes. So I need to recreate my rainbow table for every single user. Even if two users both used “password” I’ll still need to check each one individually, with their unique salts.
This doesn’t completely invalidate the breach, but it drastically slows down my ability to access individual accounts. The goal is simply to slow me down long enough for the company to be able to send out “hey, change your password” notifications, and for the users to do so. Without a salt, once I have the database, I instantly know which hash the company is using. And I can immediately access a bunch of accounts using my pre-generated rainbow table. But with the salt, I’m still forced to crack each user individually.
To be clear, weak passwords will still crack faster. A good password guessing attack doesn’t just brute force. It starts with known lists of common/popular/weak passwords, because that known list of weak passwords will often get you into an account extremely quickly.
If the hash is unique per person, hackers need to build a new table per person. It doesn’t matter if the hackers can get their hand on the salt; the point is that they cannot try the common passwords easily for all users; it takes N times as long where N is the number of users with a different salt (hopefully all of them)
If they are following best practices then individual hashes should be salted and the database of hashes should be peppered so even if someone brute forces an offline copy of the hashes they wouldn’t result in actual useable passwords.
I don’t think that’s how salts work. I might be wrong, but I think it works like this
Password + Salt -> Hash
- “p@ssword” + “hakf” -> “hifbskjf”
- “p@ssword” + “jkjh” -> “gaidjshj”
- “p@ssword” + “afgd” -> “afgdufj”
Notice how those 3 users use the same password, but the different salts results in 3 different hashes. That doesn’t make it any harder to crack a single hash, but it means I have to crack the same password 3 times. It just slows down password cracking.
Edit: my explanation isn’t wrong, but I didn’t understand the pepper part until now. So I understand the above now.
You missed the part about pepper. Pepper is something that’s added, like salt, but that isn’t stored with the password. A low security version of this is an environment variable, but it could also be a secure hardware device on the machine.
So it’s more like this:
- “p@ssword” + “hakf” + “pepper” -> “hifbskjf”
- “p@ssword” + “jkjh” + “pepper” -> “gaidjshj”
If an attacker only has the salt, they’ll “crack” the password into something that’s not the original password:
brute_force("higbskjf", "hakf") - > "kdrnskk". The idea is that it might take a few days for the attacker to recognize the error, and by then the security team has already responded and locked the backdoor.Even if the passwords are peppered, users should assume their password is compromised and change them. But peppering may prevent a cascade effect from reused passwords.
I actually didn’t realize pepper was a thing. I mostly do frontend. But that’s really interesting!
That’s all you can do though, extend the time it takes to brute force, so I’m not sure what the distinction being made is.
Response time is critical. It’s the difference between immediately getting pwned vs. having time for the security team to identify the threat, notify their users, and users to assess the impact of the breach and change their passwords.
even if someone brute forces an offline copy of the hashes they wouldn’t result in actual useable passwords
I thought you were suggesting that salted hashed passwords were uncrackable but maybe I misunderstood this
Edit: I understand the offline pepper part now. My bad
Gotcha, no, I wasn’t trying to make that claim, it’s just a way to make it more difficult/time consuming
Not entirely
Firstly you don’t “generate hashes until there is a match”. You can generate hashes until the end of the universe and you’ll still have only a fraction of all possible hashes.
What typically is used are large lookup tables with hashes from known passwords. You can then take that table, take a hash you got, and look it up.
So firstly, hashes should be salted, and if salted correctly, it’s already extremely much harder to use because these tables no longer work. There are few more things you can do but that pretty much is a hard wall already.
The problem is that many corporate systems out there have horrible security. They either use a hash that has been known to be broken since a long time ago (hello LinkedIn), don’t use salting (hello linkediiiiiinn), or don’t use hashing at all.
It’s because of idiots like these that there are so many accounts with password tables out there
What to do?
Use password managers. Now all your site’s have different, safe passwords and you only need to know one. Use 2FA where possible and supported
Can you also use a list of common passwords and a ruleset you apply to those common passwords, and then
hash(applyRule(commonPassword), salt) == compromised hash?That’d basically how these hash tables work, they have the account and hash and known password so you can do rapid lookups
I’m not entirely sure what you mean but my password manager alerts when the hash of one of my passwords matches one from a dark web data dump, and prompts me to replace it with a newly generated one.
I’m sure it’s not a unique feature
Admittedly I do have a few bad password, a combination of I don’t see how I could care (like a Reddit alt account) and sites that break the password change automation (yeah I’m lazy)
I wonder how that works. The point of password hashing is to uniquely scramble your password. So userOneHash(“password”) should give a different output than userTwoHash(“password”) even if they use the same password. So your password manager shouldn’t really be able to generate the same password hash since an infinite number of hashes can be generated from the same password.
A hash is just a mathematical algorithm that generates a somewhat unique number from any input, and usually in such a way that the tiniest difference generates a completely different hash.
I can put a single letter in a hash, I can put the entire Bible in a hash, I can put the entire universe in a hash, the output is always the same amount of bytes.
For example, if I have a hash algorithm that generates a two letter hash, a-z, then the input “Lemmy” could give me “WK” while “Lemmx” (literally one bit difference in binary) could give me “AV”. If I put the Bible in there, I could get out “XX”, for example.
The same input always generates the same output, and another important tidbit: hashing is always one way, you can’t do it in reverse.
Also important, as you probably already noticed: the hash contains (usually, but not necessarily) much less information than the original input. This means that at some point, two different inputs can generate the same output, that’s called a collision.
If the entire world would use the same hash all the time, and users would all use the same password for every website, then all the hashes for all the websites would be the same.
Now, humans are humans, and most humans use a fairly limited set of passwords. Sole people try to be ingentilent by replacing “s” with “5”, thinking that computers won’t get that.
Then, somebody started compiling a list of all known passwords with all variations and put them in a table. Then they went over each password, and hashed it with a bunch of well known hashing algorithms. Those tables, called rainbow tables iirc, are super easy and fast lookup tables if you have a hash and want to see what password it could have been.
Now what can websites do to protect against this? They can “salt” the password by prefixing then with a random text string only known to the website. If I download the database of that website, all the hashes will now be different and I won’t be able to do the lookup anymore. Better even would be to also include the user id in there, making it even harder to decipher.
What can users do? Don’t use those “Kn0w13DgE” passwords, use a random string of characters. Use unique passwords for each site. Use a password manager which will do both for you so you won’t have to remember anything
Keep in mind that the only reason they deny you the ability to log in to your own local service with your own local sign-in method is that they may upsell you on their cloud junk. If there’d be no cloud account involved - your data would not be at risk and/or leaked. They endangered your privacy for marketing purposes.
If you have not moved off of Plex - do it now. This company is fully rotten.
The email they sent out has
reply-toaddress that conveniently does not work…But brooo, don’t you know you need to have a cloud login. You neeeeeed it broo, so they can have all your info leaked bro. How else can I give access to somebody if I don’t pay 200+ bucks for the privilege of accessing my own library bro.
Data leaks happen bro, no need to worry it’s the third time in a decade. This is a text book pro response anyway, they deserve more money bro.
How dare you suggest people use another software bro, they deserve your money each month, not these leeches giving you free software. Plus Plex is so much more secure anyways, just look at them getting hacked bro. Your jellyfin is so insecure you need a PhD in cyber bro-security to even think about doing it. Look at all the jellyfin instances getting hacked every day. Someone could even guess a UUID and access 10s of playback of my pirates movie bro, see how it’s so full of holes bro
They say that passwords are hashed but were they salted?
End of the day does it even matter? They’ve gotten a ton of other information including authentication data which is probably just as, if not more, useful/lucrative to them.
From another source:
Server owners will also have to claim their server again and possibly update it, as Plex has also announced that it had “made adjustments” that will temporarily prevent “regular” users from connecting to any Plex server they have been granted access to.
The reason given is that too many Plex Media Server instances have yet to be updated to version 1.42.1, which contains a fix for a vulnerability (CVE-2025-34158CVE-2025-34158) that could be exploited remotely by authenticated users to gain access to the server and tamper with it and the data on it.
This part should have been a lot more visible and not just hidden as part of a generalized forum post. The error the individual users got doesn’t do anything to make it clear what the user or server owners need to do.
As an intentional change by Plex, presenting basic guidance as to what the error theyve caused means should be the absolute bare minimum. This is the piece that annoys me most.
Nevermind the credit cards, it’s the viewing habits they can sell that really make money.
Word of warning. Resetting your password is causing lots of people to lose access to their server. I’ll be deleting config and reclaiming the server after work.
Didn’t need to delete anything, just logged in directly via the servers IP and claimed it.
That’s awesome that you had a slightly easier path to recovery
Easiest decision to delete an account I’ve ever made.
This isn’t the first time they’ve been breached, there was an incident in 2015 and 2022 as well. From what I can gather its the same info being gathered each time.
There might be others but I can’t find th at the moment.
Really that often? I guess their good and quick response has been engineered through lots of experience…
At some point, can you keep yourself using a service that constantly gets breached? I’d just be worried when the next one is coming, based on this record (that i havent verified for myself, gonna trust u bro).
I was going to get some links for you, but conveniently The Register already did that for me:
Thank you and yikes
Do any of you receive a password reset mail? I don’t. So I fear somebody might have already changed /taken over my account? Even though i do use two factor auth?
- I did receive the initial notice
- I did not receive the reset mail i asked for. Not in spam either. I have checked that the emailadress is identical to the one i received the original notice for.
Try it again. I bet their password reset service was swamped after sending the notice.
No cigar still. Beginning to get a tiny bit nervous
