OpenSubtitles is a popular subtitles websites, it suffered a data breach that affected 6,783,158 subscribers. Exposed data include email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.
The administrator of the website become aware of the hack after a hacker notified them via Telegram in August 2021 demanding the payment of a ransom. The attacker also offered his support to OpenSubtitles to address the security flaws he has found on the website. Administrators of the website agreed to pay the ransom due to the low amount, but after receiving the ransom, the attackers never helped them to secure the website and on 11 January 2022 they leaked the data online.
The hack is the result of poor cyber security since its launch in 2006, administrator OSS said. It seems that the threat actor exploited a SQL injection to access the database of the website.
“In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it.” reads a data breach notification published on the website. “He asked for a BTC ransom to not disclose this to public and promise to delete the data.
“We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.”
The financial data of the subscribers haven’t been compromised by the attacker.
Subscribers are recommended to change opensubtitles.org and opensubtitles.com and forum password. Subscribers that shared opensubtitles.org password somewhere else are recommended to change it as well.
Administrators announced the improvement of the security of the website, including the introduction of new password policy.
“The site SHOULD be more secure now, we improved the way users are connecting to the site, the accounts will be locked after some successful logins, we introduced new password policy, we removed session info from table, IP should not be spoofable anymore, Captchas on login, register, password-reset, CSRF on forms, requests will be cancelled if admins change their IP during session, user passwords are saved in safe form using hash_hmac and sha256 algo with salt and pepper, all md5() passwords are deleted. For IT geeks – yes, we are using password_hash(), with peppered sha256 password, BCRYPT and for verification password_verify()” concludes the notification. “Note that our new site, opensubtitles.com was built with stronger security concerns, and already included all the points described above.”
Subscribers can check if their data have been exposed by querying the data breach notification website Have I Been Pwned that received the list of compromised users.
(SecurityAffairs – hacking, OpenSubtitles)