OpenSubtitles Hacked, 7 Million Subscribers' Details Leaked Online (torrentfreak.com) 22
OpenSubtitles, one of the largest repositories of subtitle files on the internet, has been hacked. TorrentFreak reports: Founded in 2006, the site was reportedly hacked in August 2021 with the attacker obtaining the personal data of nearly seven million subscribers including email and IP addresses, usernames and passwords. The site alerted users yesterday after the hacker leaked the database online.
"In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it. He asked for a BTC ransom to not disclose this to public and promise to delete the data," the post reads. "We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data."
Indeed, searches on data breach site Have I Been Pwned reveals that the database is now in the wild, containing all of the data mentioned by OpenSubtitles and more. [...] OpenSubtitles describes the hack as a "hard lesson" and admits failings in its security. The platform has spent time and money securing the site and is requiring members to reset their passwords. However, for those who have had their data breached, it may already be too late to prevent damage. The hacker has already had access to data for several months and now the breach is in the wild, problems could certainly escalate.
"In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it. He asked for a BTC ransom to not disclose this to public and promise to delete the data," the post reads. "We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data."
Indeed, searches on data breach site Have I Been Pwned reveals that the database is now in the wild, containing all of the data mentioned by OpenSubtitles and more. [...] OpenSubtitles describes the hack as a "hard lesson" and admits failings in its security. The platform has spent time and money securing the site and is requiring members to reset their passwords. However, for those who have had their data breached, it may already be too late to prevent damage. The hacker has already had access to data for several months and now the breach is in the wild, problems could certainly escalate.
Well, now they are super-open (Score:5, Insightful)
Let me see if I have this right.
A database of open subtitles has been hacked. So, now, all those subtitles are - open?
Mind explodes!
Re:Well, now they are super-open (Score:4, Funny)
Let me see if I have this right.
A database of open subtitles has been hacked. So, now, all those subtitles are - open?
Mind explodes!
I think that should be: [Mind explodes!]
Re: (Score:2)
It's not the subtitles that were compromised, it's the user data of the site. You could create an account and subscribe to feeds, so e.g. when a new episode of a TV show was broadcast you could grab a .torrent of it and subtitles to match.
Some of the subtitles were ripped, some were created by users. Very handy when the official release doesn't support the language you read.
"passwords" (Score:4, Insightful)
It always annoys me when I hear a site was hacked and they got hold of "passwords" and not "password hashes".
Why does any company store actual plaintext passwords in their databases? Like, honestly guys, wtf?
Re:"passwords" (Score:5, Insightful)
I can't access the article where I am right now, but whenever I see "passwords" being exposed I usually assume it's "hashes" unless the article explicitly mentions plain-text passwords.
And let me say...
I don't take this stance because I trust application developers to do the right thing. It's mainly because I don't trust tech journalists to understand an issue before writing about it.
Re: "passwords" (Score:2)
Comment removed (Score:4)
Re: (Score:3)
It may not be stored in plaintext, but it may not have been stored properly as hashes, either.
You can't just hash a password, because you're still vulnerable to a rainbow table attack (basically lists of passwords with pre-calculated hashes so you do a quick comparison of hashes).
To avoid this, you need
Re: (Score:2)
It always annoys me when I hear a site was hacked and they got hold of "passwords" and not "password hashes".
Why does any company store actual plaintext passwords in their databases? Like, honestly guys, wtf?
Is there a meaningful difference? In any large hacked password dataset you'll have thousands to millions of passwords trivially hacked in a short amount of time regardless of algorithm and amplification scheme employed.
The only way to meaningfully protect passwords is to encrypt them and make sure your databases and application servers lack the means of ever decrypting them. The only thing that gets access to keys should be single function authenticators.
Re: (Score:3)
Password security (Score:2)
So...they paid a ransom... with no guarantees (Score:2)
and the guy's buddy (yea, sure) came back a few months later to try to get more.
Another concern for OpenSubtitles users is that many are likely to be members of pirate sites. If they used the same credentials on those then that is clearly an issue but if the report from Have I Been Pwned is correct, their email addresses can now be matched with their IP addresses too.
It's bad when the copyright mafia is the bigger threat.
Subscribers? (Score:2)
I think I've used their site a few times, and from what I can see the subtitles are all free to download. What exactly are the subscribers paying for?
Re: (Score:2)
Reset passwords are shared in cleartext emails. (Score:1)