Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Privacy

OpenSubtitles Hacked, 7 Million Subscribers' Details Leaked Online (torrentfreak.com) 22

Posted by BeauHD from the failed-security-measures dept.
OpenSubtitles, one of the largest repositories of subtitle files on the internet, has been hacked. TorrentFreak reports: Founded in 2006, the site was reportedly hacked in August 2021 with the attacker obtaining the personal data of nearly seven million subscribers including email and IP addresses, usernames and passwords. The site alerted users yesterday after the hacker leaked the database online.

"In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it. He asked for a BTC ransom to not disclose this to public and promise to delete the data," the post reads. "We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data."

Indeed, searches on data breach site Have I Been Pwned reveals that the database is now in the wild, containing all of the data mentioned by OpenSubtitles and more. [...] OpenSubtitles describes the hack as a "hard lesson" and admits failings in its security. The platform has spent time and money securing the site and is requiring members to reset their passwords. However, for those who have had their data breached, it may already be too late to prevent damage. The hacker has already had access to data for several months and now the breach is in the wild, problems could certainly escalate.
This discussion has been archived. No new comments can be posted.

OpenSubtitles Hacked, 7 Million Subscribers' Details Leaked Online More

OpenSubtitles Hacked, 7 Million Subscribers' Details Leaked Online

Comments Filter:

  • Well, now they are super-open (Score:5, Insightful)

    by jtara ( 133429 ) on Wednesday January 19, 2022 @06:48PM (#62189397)

    Let me see if I have this right.

    A database of open subtitles has been hacked. So, now, all those subtitles are - open?

    Mind explodes!

    • Re:Well, now they are super-open (Score:4, Funny)

      by fahrbot-bot ( 874524 ) on Wednesday January 19, 2022 @06:58PM (#62189445)

      Let me see if I have this right.

      A database of open subtitles has been hacked. So, now, all those subtitles are - open?

      Mind explodes!

      I think that should be: [Mind explodes!]

      :-)

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      It's not the subtitles that were compromised, it's the user data of the site. You could create an account and subscribe to feeds, so e.g. when a new episode of a TV show was broadcast you could grab a .torrent of it and subtitles to match.

      Some of the subtitles were ripped, some were created by users. Very handy when the official release doesn't support the language you read.

  • "passwords" (Score:4, Insightful)

    by Tomahawk ( 1343 ) on Wednesday January 19, 2022 @06:52PM (#62189417) Homepage

    It always annoys me when I hear a site was hacked and they got hold of "passwords" and not "password hashes".

    Why does any company store actual plaintext passwords in their databases? Like, honestly guys, wtf?

    • Re:"passwords" (Score:5, Insightful)

      by EndlessNameless ( 673105 ) on Wednesday January 19, 2022 @07:09PM (#62189481)

      I can't access the article where I am right now, but whenever I see "passwords" being exposed I usually assume it's "hashes" unless the article explicitly mentions plain-text passwords.

      And let me say...

      I don't take this stance because I trust application developers to do the right thing. It's mainly because I don't trust tech journalists to understand an issue before writing about it.

    • From the article: âoeIn August 2021, the subtitling website Open Subtitles suffered a data breach and subsequent ransom demand. The breach exposed almost 7M subscribersâ(TM) personal data including email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes,â the site reports.

    • Re: (Score:3)

      by tlhIngan ( 30335 )

      It always annoys me when I hear a site was hacked and they got hold of "passwords" and not "password hashes".

      Why does any company store actual plaintext passwords in their databases? Like, honestly guys, wtf?

      It may not be stored in plaintext, but it may not have been stored properly as hashes, either.

      You can't just hash a password, because you're still vulnerable to a rainbow table attack (basically lists of passwords with pre-calculated hashes so you do a quick comparison of hashes).

      To avoid this, you need

    • It always annoys me when I hear a site was hacked and they got hold of "passwords" and not "password hashes".

      Why does any company store actual plaintext passwords in their databases? Like, honestly guys, wtf?

      Is there a meaningful difference? In any large hacked password dataset you'll have thousands to millions of passwords trivially hacked in a short amount of time regardless of algorithm and amplification scheme employed.

      The only way to meaningfully protect passwords is to encrypt them and make sure your databases and application servers lack the means of ever decrypting them. The only thing that gets access to keys should be single function authenticators.

  • While it doesn't excuse the negligence of the admins, If you use the same password for everything, this "hack" in particular is the least of your problems.

  • and the guy's buddy (yea, sure) came back a few months later to try to get more.

    Another concern for OpenSubtitles users is that many are likely to be members of pirate sites. If they used the same credentials on those then that is clearly an issue but if the report from Have I Been Pwned is correct, their email addresses can now be matched with their IP addresses too.

    It's bad when the copyright mafia is the bigger threat.

  • I think I've used their site a few times, and from what I can see the subtitles are all free to download. What exactly are the subscribers paying for?

    • IIRC there's a daily limit on how many subs you can download if you're not logged in. Making a normal account is free, you can pay to get a no ads type account.
  • This is funny. I'm subscribed to this service and logged in to change my password. When you click the 'reset password' option, they just send you a new password in a cleartext email. I'm glad I use different passwords for all web services (thank you Keepass).

Slashdot Top Deals

The Tao is like a glob pattern: used but never used up. It is like the extern void: filled with infinite possibilities.

Close