Plex has been breached again, similarly to the breach just a few years ago in 2022.
On the one hand, it’s at least good that they detect and report these breaches quickly, unlike some organization.
On the other hand, it’s concerning that they have had repeated breaches.
I got this email also… Should I look into Jellyfin? The UI of Plex is so nice.
I don’t know. I’m thinking through it and I probably will finally check out Jellyfin.
I’ve mostly stuck with Plex because I have a lifetime license. I don’t love the direction they’re headed though and haven’t found recent updates to be useful. They’ve been pushing media they make money off more than they make an effort to improve self hosting media.
Them having another breach just gives me a nudge to checking out alternatives.
That said, it’s also a good reminder to make sure that permissions in plex and for your media directories, files, and network shares (if applicable) are set appropriately. Don’t want some rando deleting a bunch of stuff, or being able to upload things. Disable remote access if you don’t use it, set up 2FA, etc.
The UI of Emby is similar and nicer than Plex IMO, especially after the last couple of Plex changes they did. Emby also doesnt use cloud servers for login, it goes direct from your device to your server, unless you use Emby Connect which is optional but it helps with easier discovery if you are having issues and dont know your own IP. Even with Emby Connect it is still direct from device to server, the Connect app just helps with the initial discovery portion.
They have server application support for everything as far as I can tell, they also have client app support on the majority of platforms:
Jellyfin is nice since it is open source, but I just find Emby to be a bit easier and more compatible. Emby is a closed source company product though, similar to Plex. But whereas Plex has gone the direction of “you” are the product being monetized to advertisers and they still charge you a fee on top, Emby is the actual product you pay for and they do not monetize user data in any way.
I’d be happy to give you a login to mine for testing out. Also happy to answer any questions about it and the whole stack I run along side it.
Not to derail the thread.
If anyone is interested feel free to ask away unless OP objects.
Good callout. Emby is definitely another option to explore.
I’d be happy to give you a login to mine for testing out. Also happy to answer any questions about it and the whole stack I run along side it.
I’m good, I can spin up some containers easily enough to test things out, but thank you.
I don’t have an issue with the conversation turning to info on setting up alternatives either. It’s all relevant information.
Just installed jellyfin with docker this afternoon. It runs better than I expected. It recognizes more media files than plex.
Well I dont know a ton about what plex looks like personally, but I can say the ecosystem for jellyfin is pretty good. Theres a lot of supporting software out there.
Jellyseer is probably my favorite part.
obviously that not exclusive to just jellyfin, but works with it very well.
transcodes are pretty well supported with little frustration on my part, however dolby vision profile 5 seems broken, but every other file I’ve tried has worked well.
Theres also a third party system I use called tubearchivist that has a plugin for plex and jellyfin for youtube content.
official clients are maybe one shortcoming vs plex though.
oh if you have a decent music collection, finamp is 
Just a heads up that when you change your password checking the log out all devices option can cause some irritating problems. I had to manually reclaim my server which is a pain in the ass but also it breaks any other integrations, some of which do dumb things like not letting you log in because your not logged in. So if you have a strong password then it’s probably not worth deauthenticating everything but if you do; plan to spend some time fixing stuff.
PSA:
Plex Media Server v.1.42.1.10060 was released August 11, 2025 to address the security concern that led to this breach.
Plex waited until September 8, 2025, to inform you, their loyal members of the breach by email.
This was a total of 29 days between dates. They had a legal obligation to report this to you within 30 days. Take that for what you will.
Interesting point. I did some more reading and, not to try to defend, but one possible explanation for the delay was to give server owners time to upgrade (although they maybe could have communicated their intentions better if that is the case).
This article has more details than the one I originally linked.
Plex has also announced that it had “made adjustments” that will temporarily prevent “regular” users from connecting to any Plex server they have been granted access to.
Once the server is updated to a fixed version, other users will be able to access again,” the company stated.
Not buying it.
PMS v.1.42.1.10060 was the fix version.
“As a follow-up to the original report and in an abundance of caution due to a population of servers still on an affected Plex Media Server version (versions 1.41.7.x to 1.42.0.x), we have made adjustments for access to affected servers.”
That announcement made 3 days ago (September 7, 2025) informed “specifically, other users to which the server owner has granted access to the server will not be able to connect to it while the server is running an affected version.” (Affected versions being anything prior to 1.42.1.)
So this means:
So, Plex held off informing users of the breach of their data to “give the server owners time to upgrade” when the policy change made September 7, 2025, would have been sufficient to mitigate the risk until such time as users got around to making the upgrade to v1.42.1?
No, that is non-sensical. Plex botched this from beginning to end and on top of that stretched their duty to inform users until the last possible moment.
Not a good look.
ANNNND, just to pile on, from that same announcement: “As a follow-up to the original report and in an abundance of caution due to a population of servers still on an affected Plex Media Server version (versions 1.41.7.x to 1.42.0.x)”… meaning:
This security vulnerability was introduced in v1.41.7. From what I can gather, was released sometime in late April 2025 (possibly April 23, 2025).
Yeah, I was mostly thinking out loud. We can’t say for sure what their reasoning is without someone in the know coming out and telling us.
After I posted that, I did think to myself it’s a pretty weak reason, if that is the reason for waiting to advise users.
Regardless, the fact that they get breached every few years is at least as, if not more, frustrating and worrying as the fact that they could have informed us earlier, or at best, their lack of transparency about what went down.
Yes, it does appear the vulnerability was there for a few patches, but that doesn’t mean they were aware of it at that time. If they were, they likely wouldn’t have released the patch and successive patches with the vulnerability.
Here’s the changelog from v1.41.7:
I think the better question is, what in this list of changes caused the security vulnerability, and if it’s not in this list, why is the list of changes incomplete?
And I’ll just go ahead and answer the question for them… because it wasn’t a change in the distributable PMS client, it was a change to the Plex hosting backend that they maintain. While the security vulnerability may have been only exposed from v1.41.7.x forward, that’s a red herring. The security vulnerability has been exposed since late April 2025 and as a result of their incompetence to harden their backend.
All of this is just obfuscation to throw us off the scent.
Jellyfin doesn’t have an app for Samsung TV.