Volunteer-run pirate Manga website attacked, loses hashed passwords, has ‘nobody’ to fix the mess

Dot-org has been offline for a month, says ‘people who have ill intentions’ behind crack

A “scanlation” website for Manga has admitted that its members credentials have been stolen and are now being shared online.

MangaDex.org was rated as the world’s 1,024th-most-trafficked website in March 2021 by Amazon’s web marketing outfit Alexa. The site went offline a few days after achieving that rating, after admitting it had been compromised and telling users that continuing operations was not wise until it could perform an upgrade.

The site was already in trouble over copyright because its core service is hosting scanned Manga that volunteers translate into different languages, which rather diminished publishers’ chances of securing distribution in nations outside Japan.

ManagDex has therefore endured Pirate-Bay-style whack-a-host hijinks and copyright takedown requests.

squeezing an apple

REvil ransomware gang claims it stole top-secret tech designs – including Apple lappies – from Quanta Computer


When the site went offline, on March 21, it left a single index.html page in place that offers occasional updates on the security incident.

An email to members seen by The Register says that as of April 22, the dot-org's operators “have identified that a partial database leak” of members' information has been detected.

“Investigation on the database has pinned the time of the breach to be around December 2020," we're told, "though given the nature of the leaked database, we are unable to confirm if anything else more recent has been leaked.”

The database reportedly contains “your MangaDex username, email, bcrypt-hashed password and first & last accessed IP addresses.” Members have also been offered the following less-than-reassuring news:

As of now, the leak is not public and is instead being shared privately among certain groups of people who have ill intentions against MangaDex and have chosen to be complicit in the breach by keeping quiet about it, likely for unethical reasons. We do not know how many people have their hands on the data, or how long they have had it, but we expect the responsible parties to escalate the situation soon after by releasing the data publicly in some form.

The March security breach notice warned that restoring the website will be slow, because “maintaining MangaDex is nobody's actual job.” An April 6 update detailed work on a new version of the site based on a revised architecture and new code. That update admitted “did not go as smoothly as we dared to hope.”

The dot-org has worked on a new version for over a year, according to cached forum posts. The most recent update and email offer no time frame for restoration of the site.

Members have been advised that if their MangaDex password is reused anywhere else, it’s time to change that password in case the hashes are cracked. ®

Similar topics

Broader topics

Other stories you might like

  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading

Biting the hand that feeds IT © 1998–2022