Until recently, scanlation platform MangaDex was buzzing along as a true giant in the manga world. Serving tens of millions of visitors every month, the site was home to a dedicated fanbase.
On March 17, however, the site was targeted in a malicious attack that saw an unnamed third-party gain unauthorized access to an administrator account by utilizing information found in an earlier database leak. That attack was followed up a second three days later which used a developer account to inflict further damage.
Rather than trying to patch all possible attack vectors, MangaDex took the decision to shut itself down and continue work on a new version of the site. Meanwhile, the malicious actor demanded $10,000 in bitcoin, an amount that the site’s operators declined to pay.
Full Site Database In The Hands of Bad Actors
As previously reported, MangaDex has acted responsibly by keeping users regularly informed on the fallout from the hack, including potential risks and how they can be minimized. Last month the operators indicated that there was no evidence of a recent database breach but told users to expect the worst, advising them to change passwords on any accounts that might share the same password as their MangaDex account.
Unfortunately, new information released this week indicates the worst-case scenario of a full database leak has now become reality.
“[W]e have positively identified the database leak in the wild, as we had feared would happen. This means that your username, email, IP address and securely hashed passwords are now potentially public knowledge,” MangaDex’s operators warn.
“If you have not done so yet, we strongly advise that you change your credentials on any site that you may have shared with MangaDex.”
The latest information obtained by MangaDex indicates that the database has not yet reached peak exposure as it is currently being “shared privately”. However, MangaDex warns that these groups have “ill intentions against MangaDex and have chosen to be complicit in the breach by keeping quiet about it, likely for unethical reasons.”
Who these third parties are is not being disclosed but MangaDex fears that ultimately the data will be more broadly shared.
“We do not know how many people have their hands on the data, or how long they have had it, but we expect the responsible parties to escalate the situation soon after by releasing the data publicly in some form,” they warn.
MangaDex Working With ‘Have I Been Pwned?’
Have I Been Pwned? (HIBP) is a website that allows Internet users to check whether their personal data has been leaked online following a data breach. At the time of writing the site carries information from breaches on 521 websites amounting to a staggering 11,145,906,797 accounts, 590.4 million of which relate to Facebook breaches. As a courtesy to its users, MangaDex says it is now working with HIBP.
“We are currently working with HIBP (https://haveibeenpwned.com/) to get the affected accounts added and notified, and plan to find a way to properly notify everyone affected via email,” MangaDex says.
While the site is also apologizing to its users for the breach, it’s worth noting that following a data breach at Facebook, the company did not personally contact affected users. This shows that there are varying standards when it comes to dealing with compromised account data and MangaDex is at least doing what it can to prevent additional damage.
As reported earlier this month, MangaDex also took action at Github to prevent the spread of its code.