Mangadex Has Been Hacked, Users Should Assume Data Has Been Breached

With the rise in popularity of manga comics and magazines in the West, sites like MangaDex are proving irrestable to millions of fans.

This so-called ‘scanlation’ platform – a portmanteau of ‘scan’ and translation’ – offers manga titles in languages other than their original titles. These transformed publications are then offered to a new audience but one that doesn’t have to pay for the privilege.

A year ago, MangaDex was pulling in an estimated 30 million visits per month but according to SimilarWeb stats, that figure has reached more than 75 million. However, due to exceptional circumstances, those visitors – at least for the foreseeable future – will have to obtain their content from elsewhere.

MangaDex Says it Was ‘Hacked’ Last Week

In an announcement Sunday, MangaDex revealed that in addition to mitigating DDoS attacks, last week it was subjected to a much more serious security threat.

On March 17, MandaDex’s operators said that they discovered that a “malicious actor” had gained access to an administrator account by reusing a session token found in an old database leak. However, while it was possible to identify and patch the vulnerable piece of code, a further review of the site revealed additional problems.

“After the breach, we started spending many hours reviewing the code for possible further vulnerabilities, and started to patch what we could find to the best of our capabilities,” the MangaDex statement reads.

“This ran parallel to us opening the site after the breach, as we had incorrectly assumed that the attacker would not be able to gain further access. However, as a precaution, we had started rolling out monitoring of our infrastructure and had remained vigilant in the event the attacker returned.”

MangaDex Returns – But Not For Long

According to the site’s operators, early on Saturday the attacker gained access to a developer account belonging to an individual who had been offline for four days. The site was immediately shut down (less than a minute) so that further investigations could be carried out. Within minutes, however, a reported 10 users of MangaDex received an email from the attacker.

“MangaDex has a DB leak,” it read. “I suggest you tell their staff about it.”

MangaDex says that there was a ransom request for “10k BTC [sic] or everything goes public” but there’s still no evidence that a database breach occurred. However, “for best security practices, we will assume it has happened,” they warn. [See update below]

Just short of two hours after the developer account was accessed, the attacker reportedly updated a git repository containing a source code leak, noting that MangaDex had patched two out of three CVEs (Common Vulnerabilities and Exposures). Nevertheless, MangaDex’s operators “assumed the worst-case scenario” and decided to keep the site down for further investigations.

Ongoing Work to Secure The Site

“As of writing, we have invited numerous volunteers to assist our developers with identifying the last possible CVE claimed by the attacker in the codebase,” MangaDex continues.

“Thanks to our volunteers, we have identified a good number of potential security flaws and moved to rectify them. However, at time of writing, we have still yet to identify the last possible CVE claimed by the attacker.

“With that knowledge in mind, we were confronted with a difficult decision. If we had assumed incorrectly that the web code is now secure, we could end up being compromised again by the attacker. As a result of that, in good conscience, we could not possibly re-open the website to users presently.”

The MangaDex operators say that having considered several options for reponening, they have decided the platform will remain closed until v5 of the site (a total platform rewrite) is working up to a base level, one that at a minimum will allow users to read, follow and upload content.

Security of Users

MangaDex appears to be handling the hacking incident with professionalism, including full disclosure and by not playing down the potential severity of any breach. At this stage, they know that the attacker has gained access to information not seen by regular users but there is still no evidence of a full-host or recent database breach. That being said, the advice is for users to consider their information compromised.

“As a user, we will encourage that you would assume that your data has been breached, and take precautions immediately, such as changing the passwords of any accounts that might share the same password as your MangaDex account. As a generally good security practice, password managers are highly recommended to keep your online identity secure,” the operators conclude.

When the site will return is still unclear, with estimates ranging from one to two or even three weeks. In the meantime, the site is advising people to obtain updates from Twitter.

Update: An earlier version of this article indicated that no ransom had been demanded by the attacker. MangaDex informs TorrentFreak that “10K BTC” was requested which the team believes relates to “10k USD in Bitcoin rather than 600M USD in Bitcoin.”