Volunteer-run pirate Manga website attacked, loses hashed passwords, has ‘nobody’ to fix the mess
Dot-org has been offline for a month, says ‘people who have ill intentions’ behind crack
A “scanlation” website for Manga has admitted that its members credentials have been stolen and are now being shared online.
MangaDex.org was rated as the world’s 1,024th-most-trafficked website in March 2021 by Amazon’s web marketing outfit Alexa. The site went offline a few days after achieving that rating, after admitting it had been compromised and telling users that continuing operations was not wise until it could perform an upgrade.
The site was already in trouble over copyright because its core service is hosting scanned Manga that volunteers translate into different languages, which rather diminished publishers’ chances of securing distribution in nations outside Japan.
ManagDex has therefore endured Pirate-Bay-style whack-a-host hijinks and copyright takedown requests.
REvil ransomware gang claims it stole top-secret tech designs – including Apple lappies – from Quanta ComputerREAD MORE
When the site went offline, on March 21, it left a single index.html page in place that offers occasional updates on the security incident.
An email to members seen by The Register says that as of April 22, the dot-org's operators “have identified that a partial database leak” of members' information has been detected.
“Investigation on the database has pinned the time of the breach to be around December 2020," we're told, "though given the nature of the leaked database, we are unable to confirm if anything else more recent has been leaked.”
The database reportedly contains “your MangaDex username, email, bcrypt-hashed password and first & last accessed IP addresses.” Members have also been offered the following less-than-reassuring news:
As of now, the leak is not public and is instead being shared privately among certain groups of people who have ill intentions against MangaDex and have chosen to be complicit in the breach by keeping quiet about it, likely for unethical reasons. We do not know how many people have their hands on the data, or how long they have had it, but we expect the responsible parties to escalate the situation soon after by releasing the data publicly in some form.
The March security breach notice warned that restoring the website will be slow, because “maintaining MangaDex is nobody's actual job.” An April 6 update detailed work on a new version of the site based on a revised architecture and new code. That update admitted “did not go as smoothly as we dared to hope.”
The dot-org has worked on a new version for over a year, according to cached forum posts. The most recent update and email offer no time frame for restoration of the site.
Members have been advised that if their MangaDex password is reused anywhere else, it’s time to change that password in case the hashes are cracked. ®