A hack at OpenSubtitles.org has leaked the account information of 6.7 million users. The hack is said to have taken place in August 2021, but users have only now been notified.
What was stolen?
OpenSubtitles.org is a website where you can download subtitles for movies. In a forum post, the site announces that they were approached by a hacker in August 2021. The hacker said he had access to the login details, email addresses, IP addresses and passwords of more than 6.7 million users.
The hacker would also have asked for money not to distribute the data further. OpenSubtitles.org would not have responded to the ransomware demand because it was too high a sum of money. The attacker allegedly helped the site by indicating where vulnerabilities were located.
The site’s admins initially trusted that the hacker had good intentions and would not spread the data. They say they learned a hard lesson when the login details of users were still made public.
The passwords on the OpenSubstitles.org site were encrypted with md5 hashes without salt. This security is not sufficient to properly protect short passwords. The hacker managed to get in through a poorly secured SuperAdmin account and an unsecured script.
The site states that users’ credit card details were not stolen during the hack, because it is stored externally.
The site encourages users to change their passwords. If users use the same password elsewhere, it is recommended to change the password there as well.
The site also says that the new version of the platform, OpenSubtitles.com, has better security.
The leaked credentials have also been added to the Have I Been Pwned website, so hopefully more people will become aware that their credentials have been leaked.
Catch up on more articles here
Follow us on Twitter here