What you need to know about the recent MangaDex data breach

[Kusotori]

Regarding privacy implications, MangaDex history only stores the last 10 manga you read, the most recently read chapter of each, and the exact time you read it, BUT it also stores the last 10 hentai in a separate history. You can see your complete history record by switching between hentai-only and no-hentai view.

So, for example, if you read One Punch Man chapter 1, 3, and 2 in that order, the history will only record that you read One Punch Man volume 2, and the date/time you read it. Once you read 10 more non-hentai manga, the history forgets you ever read One Punch Man. However, hentai is tracked separately, so if you read a hentai, history will remember it until you read 10 more hentai. In retrospect, perhaps the site should have a disable history function.

If you follow a manga, it also remembers every chapter you read (the eye icon next to each chapter in the list). Unfollowing a manga gives a warning that it will remove all read markers, but this feature appears to be currently non-functioning, perhaps due to ongoing improvements. You can still manually click the icon beside each chapter to mark it as unread. This won't affect the history page.

Passwords are hashed with bcrypt with cost 10 and a random salt. This is the current PHP default, and it's pretty reasonable. A high-end PC could crack about 3,500 such passwords per day, meaning that you really need to change your password if it's common or short. It's a good idea to change it anyway. In general, it's a good idea to use a unique password for every site, because you can't always be sure when a site has been hacked. Good job to the admins for keeping the users informed.

 

[smoothoperator]

Ah you proved my point in moderating my comment. See you at the next manhua crash.

 

[redmikan]

Thank you for all the hard work! I appreciate everything that you do for mangadex; this transparency is an icing on top haha. Thanks again!

 

[AdolfoJrv]

I don't care about my data, I juts wanna read lewd manga.

 

[poopypantsboywonder]

When an unofficial manga site reminds you to check your internet security. Oof love you guys for making a post and keeping us updated

 

[wezerl]

Eh, nothing too bad, since it was hashed and salted and all the sessions are now invalidated. Here in Germany a Covid Test Company had a data leak with test results from 80.000 people with name, birthday, adress and ID number... So nothing too bad here. Thanks for the transparancy

 

[Kafka]

@facoder2k2 If you were using API v1, that has been depreciated and shut down already.

 

[BloodyBeard24]

Keep up the good work guys, don't let this get you down.

Getting hacked is almost a rite of passage when small websites get large and famous.

It could of been a lot worse, but you guys prevailed.

 

[IndigoNight]

Really sorry to hear about all this, but thanks to the MD staff for dealing with it and being honest.

I do have some questions though. First of all, the hacker exploited the remember me function right? I'm pretty sure I've never actually used that function, so does that mean my data was any less vulnerable?
Also, if/when the DB gets leaked, what is the possible damage it could do/worst case scenario? Skimming through all the comments it seems most likely the emails will just get spammed, but is there anything else to worry about?

Sorry if these are naive questions, I don't really know much about hacking.

 

[BigCummer1488]

bruh who thinks they can get 10k from a manga site

 

[leafbug]

alright, so genuine question - what could they possibly do with my email account? send me spam? i get why i wouldn't want them to have my password (if it was a password i used on other sites) but what good would knowing my email address do for anyone?

 

[Sotapohjoinen]

@IndigoNight

If you never used remember me that means that the hacker couldn't have signed into your account on the live version of MangaDex. That is mostly a nonissue since only accounts with privileges gave the hacker anything.

As for the DB leak there's also the password that you used that would get leaked in a hashed format. That means that they can't directly see what your password is, but it is still good to change your password here and on any other sites that use the same password, just in case.

Another result that will understandably bother some people is that their email will be connected to the data from MangaDex, including read history, follows, etc. There might not be any further consequences, but it is a breach to your privacy.

 

[teriguu]

So when can we expect the sextortion email threats to surface?

 

[ThinkPositive]

10k BTC lol, funny guy.
BTW, I need to buy some BTC and give it to MD

 

[Willinsk]

Odd guy

 

[mangolover]

did the RSS keys get reset too (as they should) or just the 2FA ones?

 

[facoder2k2]

@kafka No i switched to the v2 but now it keep sending me 404

edit: now i know the url switched from "mangadex.org/api/v2" to "api.mangadex.org/v2". Sorry for the inconvenience

 

[crunchberry]

I think there is an issue with Chrome. I wasn't getting the password reset email at all. Then I finally decided to switch to Firefox and received the password reset email right away.

 

[polki6787]

Does it matter if a hacker knows my connection IP?

 

[cosmo87rg]

The hacker is going to share everyone's manga preferences on your facebook's.