I think my server was hacked

[edvinmorales@hotmail.com 5]

Hello guys, I think my server was hacked and they accesed every user on my emby server and they downloaded my personal pictures from the server, i am a little concern about this issue because it was family pictures and things of that nature, wondering if there is a way to deal with this type of situation of a way to delete the content from where the pictures got downloaded., i have the ip adress that seem to be invalid or mayve it was a VPN  

Firefox Windows 88.177.86.82

[darkassassin07 666]

@Luke

@softworkz

@ebr

[Luke 42145]

Hi, do all of the users on your server have strong passwords?

[edvinmorales@hotmail.com 5]

Im sure they have an ok password but how could they navigate every user, than created a new user, update policies and than deleted that username they created, now i have blocked accces to my personal photos, but they already been downloaded

[Neminem 1582]

Are you and your users using Emby connect?

Did you disable remote access to you admin account?

Do you show users on login screen?

Does any of this look similar to your case?

 

[speechles 2059]

Have you ever posted "Emby server logs" on this forum and those disclosed your private API key? If they happen across your API key in any of those server logs those could be used to allow unscrupulus people to try to gain access to your server and start messing with things..

Always make sure to submit logs that you download through the server admin interface so they will get information removed, such as API keys, IP addresses, etc..

I am suspect you may have needed help very early on and some a$$hole found your logs with the api key in it and decided he wanted to be a d!ck. Apologies. You need to read the post that I have linked above. It will explain how this happens and how to prevent it.

Edited yesterday at 03:26 PM by speechles

[Neminem 1582]

We need to know what happened, right now we are all guessing!

We need more info about your setup and how you have configured Emby.

There are so many ways this can happen and so many option admin can forget or not know about what it does,

that can lead to this.

 

[edvinmorales@hotmail.com 5]

7 hours ago, speechles said:

Have you ever posted "Emby server logs" on this forum and those disclosed your private API key? If they happen across your API key in any of those server logs those could be used to allow unscrupulus people to try to gain access to your server and start messing with things..

Always make sure to submit logs that you download through the server admin interface so they will get information removed, such as API keys, IP addresses, etc..

I am suspect you may have needed help very early on and some a$$hole found your logs with the api key in it and decided he wanted to be a d!ck. Apologies. You need to read the post that I have linked above. It will explain how this happens and how to prevent it.

Before i have posted emby server logs here, maybe somebody stealing the logs and doing all this none sense, because only somebody that know how to use emby would do what my hacked did in 10 minutes, move trough all users, create a new user and download only family pictures. instead of like movies

[edvinmorales@hotmail.com 5]

7 hours ago, Neminem said:

We need to know what happened, right now we are all guessing!

We need more info about your setup and how you have configured Emby.

There are so many ways this can happen and so many option admin can forget or not know about what it does,

that can lead to this.

 

So far i discovered that i had an open tunel or DMZ host open, with my internet router just because i was configuring my ports forwarding , but other than that also i think the 3rd party apps on emby have access to our API keys, logs etc, but im 100 % sure it was an EMBY member, it should be investigated on the MODERATORS END. Please, other than that my password was recently changed my IP was recently changed and I just moved to a new house so router is also less than a month new, makes me think API keys is the root cause. or somebody entered my DMZ tunnel host

[edvinmorales@hotmail.com 5]

8 hours ago, speechles said:

Have you ever posted "Emby server logs" on this forum and those disclosed your private API key? If they happen across your API key in any of those server logs those could be used to allow unscrupulus people to try to gain access to your server and start messing with things..

Always make sure to submit logs that you download through the server admin interface so they will get information removed, such as API keys, IP addresses, etc..

I am suspect you may have needed help very early on and some a$$hole found your logs with the api key in it and decided he wanted to be a d!ck. Apologies. You need to read the post that I have linked above. It will explain how this happens and how to prevent it.

There is no way to find out and maybe remove that person from being able to access emby ever again? or maybe dont have people post their logs here and be sent privately to the moderators when they ask us for the logs.

[speechles 2059]

11 minutes ago, edvinmorales@hotmail.com said:

There is no way to find out and maybe remove that person from being able to access emby ever again? or maybe dont have people post their logs here and be sent privately to the moderators when they ask us for the logs.

To revoke all the previous API keys for your administrative user you need to change the password of that exact administrative user. API Keys are tied to the user that generated them. Doing so should generate a new API key for your Emby administrator once you change password. That new API key will not match the old one they have stolen. Remove any API keys in the "Advanced" section under the API Keys tab. Once you remove all the API keys and have changed your Emby administrator password then you should restart your Emby server. 

Once it restarts, make sure to only share logs which you have obtained from the Emby server dashboard. If you download them through this interface all the sensitive information will be automatically redacted and replaced with placeholder text.

Edited 23 hours ago by speechles

[Apotropaic 48]

13 hours ago, edvinmorales@hotmail.com said:

So far i discovered that i had an open tunel or DMZ host open, with my internet router just because i was configuring my ports forwarding , but other than that also i think the 3rd party apps on emby have access to our API keys, logs etc, but im 100 % sure it was an EMBY member, it should be investigated on the MODERATORS END. Please, other than that my password was recently changed my IP was recently changed and I just moved to a new house so router is also less than a month new, makes me think API keys is the root cause. or somebody entered my DMZ tunnel host

Just want to clarify what you mean by ‘DMZ host open’ and port forwarding.

Port forwarding is when you allow one port or a selection of ports you specify to a particular host on your network. It also allows you to port map, which is best practise in my opinion so externally you configure your Emby clients to hit tcp port 60666 for example and the port maps it to 8096 or 8920. It just stops casual scanning and easy identification that you have an Emby server in your house.

The DMZ option places a single host into a totally open port forwarding area, exposing the OS of machine to the internet. So anyone on the internet can hit your Emby server machine with whatever they want.
Effectively placing your Emby server out on the street for anyone to probe and mess around with.

You should not need to use both port forwarding and the DMZ host option for the same machine. In fact the DMZ host option should never be used unless you really know what you’re doing and have a security hardened machine.

I can go into more detail if you need, for now I would turn off the DMZ host option and maybe just remove all port forwarding altogether until you’ve recovered your Emby instance and know it’s good.

[woofstream 4]

The same IP address tried accessing my server, they couldn't get in thankfully.

[ebr 16299]

22 hours ago, edvinmorales@hotmail.com said:

but im 100 % sure it was an EMBY member, it should be investigated on the MODERATORS END.

Hi.  What do you mean by "Emby member"?

Your server users are yours and you are in complete control of them.

[speechles 2059]

1 hour ago, ebr said:

Hi.  What do you mean by "Emby member"?

Your server users are yours and you are in complete control of them.

All of this is circumspect, but I think he means a user on these forums. Not a user of his Emby server he created. A "fake user" on these forums. A user created with no good intent in mind. Only with the sole intent to steal another users server/credentials and possibly personal information/photos so they can be possibly blackmailed/extorted at some later time depending on what that information discloses.

Some of the users of this forum create an account strictly so they can download logs of others, make a few random posts, and try to blend in. Wolves in sheeps clothing. These "fake users" then browse these forums looking for logs posted. Hoping the person who posted these logs has directly accessed the logs with the file system without using the Emby download method to obtain them which would have scrubbed out that sensitive information. These "fake users" hope to see unredacted API keys exposed and their external ports are open. If the logs show the API key it will likely also show the IP address of the server. It would be rather trivial after that to use those to access the server, which would show as the user who created that API key. 

He gave the IP address above in his first post which does resolve to: 88-177-86-82.subs.proxad.net

If this same user was registered on this forum with this same IP address it would potentially point to a suspect. But it might also be a revolving door VPN address that could be potentially anybody. But it could be the very attacker who used these forums to patrol for logs and then sneak onto his server. He gave you the smoking gun.

https://redmondmag.com/articles/2026/03/10/hackers-dont-break-in-anymore.aspx

Spoiler

What you’re describing is a plausible security risk scenario, and it has happened in various software communities—not specifically limited to Emby forums. The attack pattern you outlined is essentially a log-scraping + credential exposure attack. Here’s how it typically works and why the risk exists.

---

How the attack would work

1. Malicious forum account creation

An attacker creates a normal-looking account on a support forum for software like Emby.

They may:

• Make a few harmless posts

• Ask beginner questions

• Reply to threads to appear legitimate

This is a social camouflage tactic.

---

2. Waiting for users to post logs

When users troubleshoot server issues, they often post log files publicly.

Good troubleshooting advice normally says to use the built-in log download function in Emby because it removes sensitive information.

However, some users instead:

• Navigate to the server filesystem

• Upload raw log files

• Post them directly on the forum

Those raw logs may contain sensitive data.

---

3. Sensitive information in logs

Unredacted logs can include things such as:

• API keys

• Server IP addresses

• Internal paths

• Authentication tokens

• Possibly usernames

An API key is effectively a credential.

If the logs show:

 

API key: XXXXX
Server IP: XXX.XXX.XXX.XXX

 

then the attacker potentially has everything needed to try connecting.

---

4. Attempting access

If the server is:

• Exposed to the internet

• Using that API key

• Not restricted by IP or additional authentication

then the attacker might be able to authenticate as the key owner.

This could allow:

• Viewing libraries

• Accessing metadata

• In worst cases downloading media or personal files

• Gathering information about the user

---

Why this is a real security concern

The issue is not specific to Emby. It happens with many systems where users share logs publicly.

Common causes:

• Users not realizing logs contain credentials

• Posting raw logs instead of sanitized ones

• Open external ports

• Reused API keys

---

Good security practices to prevent this

1. Never post raw logs

Always use the log download feature inside the server software because it sanitizes data.

2. Manually review logs before posting

Search for:

• apikey

• token

• Authorization

• IP addresses

Remove them before uploading.

---

3. Rotate exposed API keys

If a key ever appears publicly:

• Immediately delete it

• Generate a new one

---

4. Restrict external access

Do not expose the server directly to the internet unless necessary.

Safer options include:

• VPN access

• Reverse proxy with authentication

• IP restrictions

---

5. Use firewall rules

Limit who can reach the server port.

---

One clarification about your theory

Your suspicion about forum users specifically creating accounts to scrape logs is possible, but the more common reality is:

• Attackers automate scraping of forums and paste sites

• Bots search for exposed credentials

So the attacker may not even be manually browsing.

---

Bottom line:
Posting unredacted server logs publicly can absolutely expose API keys and server access, and anyone who finds those logs could potentially exploit them if the server is reachable.

 

Edited 4 minutes ago by speechles

[woofstream 4]

I shared logs one time, I don't think I had an IP or API key in there though.

 

Edit: I double checked, and no, I did not expose anything like that. And the intruder tried signing into one of the profiles twice before moving on, so they clearly had no real way in besides guessing a password.

So no, I don't think that's the issue here. For context, again: the same IP tried accessing my Emby and failed. 

Edited just now by woofstream