What you need to know about the recent MangaDex data breach

[Siebzehn]

The Guy was able to login normaly with just the session data from the Server? Did he not need the cookie stored on the client?
Or did you not hash it as it would do it every loading of the page? If so it might be better to have 2 levels of session data, one which can "login" from any ip which is hashed and another which is unhashed but allows a single ip address, which gets created with the first. But what do i know... that isnt really my field.

 

[SolisCool]

huh. what is mangago

 

[Darugdug]

i mean thats why i use different emails and identities online esp in my hooded related activities

 

[LunaKara]

Thank god the site is still alive and kicking, took a break from here and now I need to catch up around 3 months worth of chapters ｡ﾟ(TヮT)ﾟ｡
And about this whole data breach thing, I'm pretty sure that my email already was leaked in more than 7-8(?) others data breaches (I stopped using it for college stuff because of that, and cuz they rather you use their institucional email system) and the password too (that's what you get for using overall the same password for more than 10 years)

 

[ununseti]

oof

well hopefully the loose ends have been tightened up now... patching software vulnerabilities kind of feels like playing whack-a-mole sometimes obviously there are security best practices and all the low-hanging fruit that can be considered, but then a 0-day or something or other can always surprise you out of nowhere.

(I hope md has backups, in case something more terrible happens in the future?)

thanks for informing us promptly, though!

 

[Umesan]

The groups that were removed. Were they able to be reinstated?

 

[nero44]

Sad this happened must have been really stressful for administration and everyone involved. Thanks for sharing this with us and recommending us security measures.

 

[Hiruel22]

Please only remove Solo Leveling it would make things more easier for the site.
We really don't deserve something like MD in our life, you guys are the best.
Thanks for your service.

 

[OpticalAleutian]

@Kendrakirai I think that's why they put [sic] in the quotation in the original post. They probably meant 10,000 USD.

 

[BuffSoul]

My password is password1, that's not a problem because for all my other sites my password is 1password. They'd never guess it.

 

[mdrop0]

Thank you for your transparency and props on not giving in to bandits.

 

[Rizase]

First of all I'd like to thanks the MangaDex team for being so transparent and dealing with this situation quickly. I greatly appreciate your effort for keeping this site up and running for so many years.

To the people who are concerned about your information leak, I feel bad for you but the fact that you're concerned in the first place is already wrong. You always have your own responsibility to protect your information online, especially in dealing with any unofficial site. If you're knowingly or unknowingly expose your information online then it's only a matter of whether you considered it a leak or not. Any other unethical pirated anime or manga site doesn't need any hacker to leak your info, because the site would already sell everything you provided for money, they just have no need to tell you.

To all the people feeling that MangaDex is a failure, feel free to look for another site, there are plenty of other pirates out there happy for new income source. MangaDex is run "almost" entirely on the goodwill of the MangaDex team who worked for free and the donation of people who wanted to keep it running. Unless you're donating or using affiliate, which is highly doubtful considering how much you dislike MangaDex, your loss wouldn't be missed. Sure higher traffic could attract more affiliate but then again it depend on user's goodwill to use any of them.

 

[Zephyrus]

@ununseti
There are backups, yes.

ITT: Some people holding MD to an impossible standard. The original owner and then the devs have busted their asses to create a platform that is pretty fantastic, all things considered. It's not perfect and building an entire website from scratch is *not* easy. V5 will be a long time coming but they're doing the best they can. As @Plykiya mentioned, several high profile companies have been hacked before. It's a fact of life. No website is completely secure unless you don't connect it to the internet and you run it off a home server. That's just the reality.

You're welcome to your thoughts and opinions. No one's saying that mistakes weren't made or security flaws weren't present, but condescendingly reaming out developers for a website that exists solely because of our users (you know, the ones that donate and interact with our affiliates to help us keep the lights on), some paper clips, and gum reeks of entitlement. There's expressing valid concerns and then there's posting long rants about the "sheer incompetence" of MD's development team.

I challenge anyone to create what they have, maintain it for three years, and not run into many of the same issues we have. Frankly, if you can't be at least civil when expressing your concern you don't need to be posting in this thread.

 

[madmccoy]

Whew, sucks, but it is what it is. I'm hoping v5 isn't storing the necessary data to forge a session cookie in the database, but I'm under the impression it won't since v3 has been said to have been made of gum and newspaper and v5 is much improved.

I only have ~20 years developer experience (spread out across a lot of different domains so nothing hardcore), but I'm willing to offer what little advice I can if that's helpful -- no code, though, that's a no-no since my email is out there now and I'm frankly not motivated enough to make a new account and lose all my reads/follows/etc. Can't sue me for giving advice, though.

Anyway, hang in there guys.

 

[StLL]

SOMEONE CALL THE CYBER POLICE, HAXOR IS GOING TO BACKTRACED ME

 

[Leuix]

Oh my! While this is an unfortunate news I'm just glad you guys are open with us and that the site is back.

 

[Piamette]

So you just told us to resort to 2FA, right after some troublemaker effortlessly ransomed our information, bypassing 2FA and all. Moreover, because he logged in an admin's account, I'm inclined to believe that, despite being aware of that obvious security breach, you guys didn't care and just checked in "Remember Me" upon logging in anyway. Before you try and suggest us regular users some methods to "better secure" our accounts -- before you fix those security breaches, even, you should police yourselves.

By the way, I hope that you guys are working ASAP to fix those breaches, on top of recycling basic precautions so your admin accs aren't so easily breached along with the rest of the userbase, because the OP also serves as a flag to anybody who's interested in taking this site down.

 

[qudtls1234]

Lul didn't see this one coming in the slightest. But hey, I use a throwaway login for MD, so it's fine for me.

I'm sorry y'all had to go through that. Bad luck.

 

[RogueKitsune]

Oh no the information that i used to create account has been exposed, just like it has been in probably tens of other data breaches known and unknown, what shall I ever do!?!?!?
*cough*
That aside thanks for being up front with what happened. I just wish others that actually stored sensitive information ( *insert large multi-billion dollar corp here*) would be as up front and transparent as MD.

Only suggestion I would like to make is to treat 2FA recovery codes like passwords. Probably anything else I could add is being taken care of in v5.

 

[McDonlee]

Thanks for the Update