Went there to update my password but got reminded what a horrible experience Plex is these days, so deleted my account instead.
this post was submitted on 09 Sep 2025
241 points (99.6% liked)
Selfhosted
51542 readers
312 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Should have been put in the OP because people are going to jump the gun:
While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party.
Still, always good practice to change your password after this sort of leak. However unlikely it is that someone could access your account, it's never a bad idea.
If you use a unique password and have 2FA on there’s no real need, but yeah it can’t hurt.
load more comments
(2 replies)
Glad I started out with Jellyfin
I mean, jellyfin is absolutely even.more of a security nightmare than Plex, with multiple unfixed CVEs IIRC (software, not website or forum)
I use jellyfin also, but I only trust it not exposed to the internet at all. That is one very big area of improvement for them.
That and subtitle syncing.
load more comments
(1 replies)
Meanwhile I made a post asking if plex is bad now and most people on it said "no it's great I paid for my lifetime pass years ago and its been the best!" Yeah, we know the truth now.
Jellyfin all the way.
Seems unlikely that this happened. Most people on Lemmy despise Plex and forgive all the shortcomings of Jellyfin
Thats what I thought too. But I posted on ask lemmy, not here.
load more comments
(10 replies)
I'd love to switch. I would do it right now, but the problem is that Jellyfin's security isn't better if you open it up to the internet. For example, I'd have to set up a VPN for my remote users for proper security, and most of my users are in other states, not technically inclined, and watch on their TVs. I'd have to at least support a raspberry pi for them, or some sort of site to site VPN, and if it goes down, I'll be expected to fix it. On top of that, if I do a simple raspberry pi based VPN, it would be made even more complicated since they'd want it to work with their smart TVs.
Again, I really want to switch. But Jellyfin needs to fix their security issues before I can. I'm also happy with the way Plex is reporting this, it's above the standard "your data is lost" notifications.
Edit: here's a link to the related GitHub issue I've been following: https://github.com/jellyfin/jellyfin/issues/5415
And @Saik0Shinigami@lemmy.saik0.com has a great thread explaining more: https://lemmy.today/comment/18923504
Jellyfin is great... As long as you're the only one who needs to access the server. I've switched to using Jellyfin myself, but I still run Plex for others to access.
I've found that I get a smoother playback experience on Jellyfin, but even outside of potential security issues, there are a still couple of features I miss from Plex.
What are those features?
One was automatic collections, but the plugin for this has since been updated, and the bug I was experiencing has been fixed. The one remaining feature that I'm missing is user ratings for media. On Plex I have automatic collections of movies that I've rated four and five stars, and it's quite useful.
Most of these require some form of random id to exploit, which leaves you either brute forcing ids or brute forcing a user account
I mean, that's fine, but it's still an issue and a risk that would cause me to want to use VPN for remote viewing. It doesn't seem like security is Jellyfin's priority at the moment, not that it's Plex's either, but it's not to a place where it's worth it to switch from a security standpoint, personally.
Plex has a whole team dedicated to security. It's obviously not perfect and it is a larger attack surface than Jellyfin, but I'll take that any day over devs who treat security as an afterthought
load more comments
(5 replies)
Again, its not random. It's not a UUID. Its an md5 hash of the filepath. Which is easily guessable since most people have a very similar if not identical folder structure, especially since a lot have it managed by the *arr suite. take that plus the publicly available release names for movies and you're done
load more comments
(6 replies)
load more comments
(2 replies)
My big complaint with Jellyfin is that their documentation showed a “fast forward” hotkey that convinced me to switch from Plex, and when I started it up it was a misnamed “jump forward five seconds” button instead.
It’s still better for my needs, but I remain angry.
load more comments
(2 replies)
Plex followed best practices and made sure that in the event of a data breach your accounts were safe, and alerted us promptly to the breach and reassured us that nothing private/of value was compromised.
JellyFin knowingly leaves multiple API endpoints with zero authentication.
I know which one I prefer, and it’s not the one with gaping security holes marked as “won’t fix”.
People don't seem to understand that no-one can reasonably stop a breach today.
The question is whether the attackers got anything of value and how easy they got in.
load more comments
(2 replies)
Even is plex is "bad" now, it's still years ahead of jellyfin.
load more comments
(3 replies)
Plex can't catch breaks recently.
Self hosting does come with risks though. People should be on notice.
In general, for self-hosting, we hardly rely on remote service/server. The whole idea of self-hosting is to shun dependency on external service/server, and run everything on your own hardware and network. So that every aspect of the service is in your control. I don't think self-hosting comes with much risk, unless you make your service available on Internet.
Well plex can't be run without it pinging the mother ship...
But I get your point. I don't open shit up for remote use.
Which is exactly why I never installed Plex and went straight to Jellyfin
load more comments
(2 replies)
load more comments
(4 replies)
I dropped it in favor of Jellyfin some time back, but this was a good excuse to go ahead and delete my family's accounts.
view more: next ›