What you need to know about the recent MangaDex data breach

Status
Not open for further replies.
I understood the warning part and that a hacker has my passwords. Lets take this warning seriously and leave the security on mods.
 
@Tokimedotozu they don't have your password in plaintext lol
it's been hashed/salted in a way that's never been broken before so it's impossible for them to figure out what your password is from it, still should change it anyways though
 
Thanks for being so open about this! It happens, although it sucks, so don't feel too bad.
 
Thanks for letting us know what happened.
Glad the site is back up and running.
Hope v5 gets done sooner than later to decrease these things happening again.
 
If we only made an account on the site a couple weeks ago, is our information included in this breach, or is it just for accounts that existed when the hacker obtained the code some months ago?
 
I'm not really understanding how they hacked Loli Master's account from some old build, but don't have our passwords.

I still changed it, anyway.
 
Using their database dump, the hacker was able to use the session codes stored in the db when you hit "remember me" to bypass any password and 2FA requirements, as these are stored for a couple of months.

They then proceeded to log into the account of our admin
Wait a second - you've actually allowed accounts with admin rights to forego authentication? I am trying to say this in the nicest way possible, but: ARE YOU BLEEDING MAD?!
I hope you've come to the obvious conclusion of that.
 
@Narf sounds like having the session codes allowed them to impersonate any user who when they logged into the site checked that "remember me" option, not that the admin account doesn't have 2FA enabled.
 
Status
Not open for further replies.

Users who are viewing this thread

Back
Top