Insecure password leads to Mangatoon data breach

The hugely popular Manga comics platform Mangatoon has fallen victim to a data breach. No fewer than 23 million user accounts could be at risk, thanks to a poorly secured database. Worse still, Mangatoon doesn’t seem to be responding to messages from the breacher, or people notifying it that the breach has taken place.

A limited edition run of exposed accounts

Mangatoon allows comics fans to read a variety of web comics for free via the app, with the option to “unlock” whole comics for a fee. Unfortunately for Mangatoon, its Elasticsearch database was compromised leading to several attempts to get its attention.

Anyone got a security contact at @MangatoonEN? DMs are closed and apparently they haven't been responding to emails attempting to reach them.

— Troy Hunt (@troyhunt) July 4, 2022

No response was forthcoming by email or even social media. While it’s possible everyone involved is too busy fixing the problem, the complete lack of a reply is concerning.

Checking for exposure

The breach data, which occurred in May, has been loaded into popular breach checking service Have I been pwned.

You can search for your email address on that site, and if your mail is tied to any data breaches (not just Mangatoon), the site will let you know which sites, what data, and when it was breached.

New breach: Mangatoon had 23M accounts breached in May. The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and salted MD5 password hashes. 27% were already in @haveibeenpwned

— Have I Been Pwned (@haveibeenpwned) July 6, 2022

Password disasters of our time

The 23 million or so accounts have been exposed purely because of bad password management. All of this data was, incredibly, sitting behind the “password”.

Mangatoon changed the password after the system breacher notified it. However, no customers have been notified and anyone unaware would think everything is currently business as usual. The truth is that things couldn’t be further from the case. Are there other, similarly poorly secured databases? Has the password been changed to something that isn’t “password123”?

Elasticsearch makes use of a variety of security features for all manner of configurations, so will Mangatoon be making use of these in future?

So many unanswered questions in a situation such as this isn’t massively reassuring.

Lock down your databases

Poorly secured Elasticsearch databases are juicy targets for those up to no good. At least 450 ransom notes were discovered demanding payment in return for files found on Elasticsearch databases back in June of this year. Sadly for anyone paying up to recover the stolen files, there’s a good chance the attackers had already deleted them. This is, of course, a valuable reminder to back up your data.

This is especially true considering Elasticsearch sits alongside both Redis and MongoDB as some of 2022’s top exposed databases.

If you use Mangatoon you should change your password to your account now. If you’ve used the same username and password combination on other accounts, you should change those too.

The post Insecure password leads to Mangatoon data breach appeared first on Malwarebytes Labs.

Article Link: Insecure password leads to Mangatoon data breach | Malwarebytes Labs