What you need to know about the recent MangaDex data breach

Status
Not open for further replies.
Member
Joined
Mar 7, 2019
Messages
114
i know i'm going to get some heat for this but :
maybe consider temporarily locking the Solo Leveling chapters for the next hours, already more than 27k views in few minutes, i'm sure it's not helping...
 
Joined
Oct 12, 2019
Messages
9
Well the leak is a meme ?
In terms of $$$ no one would buy it email and ip means nothing .
Gl the hackers and the plebs who buys the leak “dehashing” bycript is slow as fuck an not worth your time .
 
Contributor
Joined
Jan 25, 2018
Messages
46
Storing session tokens in the database is a bad choice. Trying to deflect criticism by stating that other sites have been breached is a bad choice. If it was the first time some site leaked my information due to lax security maybe I would be upset, but all I will say is I'm not surprised. I'm pretty sure this situation will eventually be swept under the rug and nobody will learn anything from it.
 
Dex-chan lover
Joined
Feb 14, 2018
Messages
3,231
Kinda sucks on my email, but it's not like the password is the same.

10k BTC though lol, the ransom was never the point, it really looks like someone paid a slightly skilled hacker to start crap.
 
Group Leader
Joined
Feb 18, 2018
Messages
21
@Plykiya
It was coded in a weekend by a single person and then gradually improved on by a single person who isn't even a dev. We know it's shit lol, working on the v3 code is demoralizing to all of the devs. Hence why the plan is for a complete rewrite away from the existing code.

The admins have nothing to do with it, but you are right that the devs want to kill themselves looking at the current site code. Again, hence the plans for a rework. Everything we do is just firefighting attempts to keep v3 going until v5 exists.

That's a fine excuse and all, but why even waste the time to get all the way up to v3 in the first place if you're just rewriting it? Take the site down for a bit and finish the rewrite so users aren't still open and exposed and so your devs (sorry, I miswrote admins) can focus on one project instead of sloppily throwing together one that may never actually ship anytime soon (or at all, going by the track record) while patchworking the other one with toothpicks and glue? I seem to recall a very similar situation with v4, which was just never implemented because either it couldn't be coded well or because you were too lazy to implement it.
But at this point we've been on v3 for ages and there've hardly been ANY QoL features added, even simple ones, like a site theme that isn't just default Bootstrap. I dunno if that's just because your code is THAT bad or just from lack of desire to update them or just being too busy keeping the various fires from spreading, but it's still such a non-excuse to say "we're just rewriting the site, please keep using this site ad infinitum despite the glaring issues and just get ready for regular data breaches because until then we aren't doing anything."

Batoto had a support forums, an IRC channel, and reports. We have a support forum, a Discord, and reports. Your standards between us and Batoto are kind of... lol. Batoto even ran ads all the time too, you know? What we're doing with one tiny banner isn't even close to the level of ads they had.

I am a bit passive aggressive when people hold Batoto to some holy grail standard where everything was better when it was struggling to barely cope with Tachiyomi traffic and had to make the website accounts-only whereas we're pushing at least 20x the amount of traffic they were and getting told we're more incompetent than them because we're struggling to keep up with the upgrades required lol.

And ending sentences with lol is indeed something I can't really avoid.

I mentioned Batoto once at the beginning just referring to how MangaDex started (to sop up the pool of clout in the vacuum left by the site's closure). By no means do I hold them to some holy grail standard. I wasn't on board the ad train, and if I had needed a support I would have been very frustrated, as I was very frustrated when I needed assistance with an account issue here sometime last year. I didn't have a way to contact the admins except, as I said, to go into a huge public discord and hope that maybe an admin might answer my account question. By the way, that didn't happen and I had to use other means to fix my issue. I'm not drawing comparisons between MD and Batoto, it seems to be only you lacking the reading comprehension to see that, but after the way the site has been run since its inception, again I'm not surprised. But if you want a real direct comparison, Batoto was definitely a much better site because at least it worked, which is far more than I can say about MD most of the time.

Honestly though, if it helped the site's performance, I really wouldn't even mind if MD went accounts-only, because contrary to your boasting about how super good the load times are, several friends and I from before the breach and even one of the users posting here are still reporting higher than acceptable failure rates. And no, it's not because I just have bad Internet lol XD

Even in v5 it'll be a manual process. Sorry that you don't have to deal with the people attempting to upload ads and bait images to the website.
I don't care that it's a manual approval process, that's fine. I just think it's weird that to register a group you have to go into a forum thread and beg and wait for someone to add it. A simple form would be way more effective both for users and the admins. The fact that you responded in this way makes me think that v5 will continue this sloppy handling of group additions so if you're trying to advertise that, you're not doing a very good job at it. Even a rewrite isn't gonna fix the obvious infrastructure issues here.

2FA stops people from ever being able to access your account via a password. Assuming that the other 99% of people trying to get into your account are trying to do it by a db breach is just being insincere.
Sure but just about any decent site engineer knows not to store session codes on the DB.

Well, feel free to make your own website. We don't ban people for criticizing us, lol. You're acting a bit silly.
Look, I get that I'm having a pretty big reaction to this, but it's really obvious through the OP and this response that you don't care about user data. I see people bragging about "well my data on here isn't important" or "I'm using a secure password" but given the size of your userbase, these people are more likely the exception than the rule, and as a site owner, do you not feel any sort of duty to protect the potentially vulnerable data of your users? I guess not, because if you did, the site wouldn't be running in this condition in the first place.

Anyways, hope any of this made it through, but judging by the tone of your response and the desperate attempt to find excuses, deflect by saying "other people did it too!" and not really address my issues, I'm not hopeful.
 
Joined
Sep 13, 2020
Messages
6
well im not screwed over at all.

this site was the first and only to be transferred to my new password set so I'm good.

tip folks, if you are going to repeat passwords, use multiple email accounts, separated by topic (games, work, personal, -insert your dirty secrets-) and use completely different password sets for each.
 
Joined
Aug 28, 2018
Messages
5
Out of curiosity, are there any plans on letting users export their lists? Obviously there's a massive loss of trust between yourselves and the userbase right now and I feel like some would want to be able to back up their lists in case anything happens, assuming they haven't already.
 
Fed-Kun's army
Joined
Jan 22, 2018
Messages
129
probably should have come out with this info 2 days ago so any potential chance at the passwords being used anywhere else could be resolved.... encrypted or not you guys feel the hacker has 4 month old info which means he had it for 4 months to fuck with and lord knows the damage that can be caused in less time
 
Power Uploader
Joined
Jan 18, 2018
Messages
178
@Dobu

Hot takes. Counterpoint: you clearly have no experience in growing & scaling websites. Do you think Batoto was any better than MD three years after its launch?

Gripe about everything you want, but you’re setting expectations far outside of what is realistically achievable with this site, especially with the current time frames.
 
Aggregator gang
Joined
Jan 23, 2018
Messages
440
No great loss, I already use random passwords generated from a password manager and all the other stuff is like 🤷‍♀️ Who would pay money for that data, srsly amateur hour.

Glad to hear you're salting and hashing passwords and new site is being developed to modern standards. Once you've launched v5 + 2FA you'll have better security than most banks... 😐
 
Dex-chan lover
Joined
Apr 18, 2018
Messages
240
Asking for about 500 million USD from an unofficial Manga hosting site with no ads sounds like two things; an idiot who thought they hacked a company like Shueisha or someone malicious enough to ransom your data with the intention to instigate a data breach in thr first place.

Either way, be safe everyone.
 
Member
Joined
Oct 26, 2018
Messages
363
maybe becouse of the pandemic, people have to much free time. start doing shit like this. fighto for u guys
 
Status
Not open for further replies.

Users who are viewing this thread

Top