What you need to know about the recent MangaDex data breach

[Lolipop_Candy]

That must be a lamer hacker, he thought he get the gold, but he is only entrapped in the unmonitored honeypot instead

I will give that hacker 10 BTC if he can crack the password. Of course he can't, he don't even understand security a bit I'm sure.

FYI to all, bcrypt is fucking secure. Even if you insert the same password, the hash result is randomly generated, unlike using stupid MD5 or SHA-1 hash, so..... just add 1 character to the password is enough to me.

@KingHarkinian @bingbingmeup
PHP is not secure if you host the site with default setting of XAMPP's Apache, only amateurs do that. Meanwhile nginx is for production which is proven as secure as storing money in the vault, even with default settings

 

[QuickWisp99]

what an ass to do that

Thank you guys for being open and working hard on this site!

 

[AaronRyuchi]

I'm so glad you're back up! 😀

 

[Plykiya]

@QuickWisp99 Nice rare Dex-chan avatar

 

[Harry_Dong]

"your email addresses, creation and last connection IPs, backup 2FA codes, RSS keys, follows, comments, DMs, etc. are not fine"

I rarely use my email anyway (which is exclusively used for mangadex) as it gets bombarded with spam and crap so much that I don't even bother checking it anymore. I honestly don't understand what good having my email out in the open will do for them, as it was always public in the first place as well, and most dangerous emails get filtered. And contrary to my avatar, it's not like I'm a senior citizen that gets duped by IRS gift card scammers from overseas.

I have new codes after I re-enabled 2FA, so that's fine.

I use a VPN, and everything else was either already public or don't care about anyway.

...So all in all, seems this hacker only wasted their time and the loser should really get a life, or do the world a favor and off themselves. If he was actually smart, he'd go after the giant megacorps with billions to burn rather than a niche hobby comic site.

 

[QuickWisp99]

@Plykiya Why tyty
When I have time and more experience, i plan to redraw it again to hit that SR Dex-chan lol

 

[Keiharuki]

I'm sorry this happen to you all (MangaDex Team), and I'm glad you guys were able to get it all settle out, and wishing you all a peace of mind!

 

[Richman]

@Harry_Dong

If he was actually smart, he'd go after the giant megacorps with billions to burn rather than a niche hobby comic site.

I've seen many people say this, but it's unlikely he would've succeeded at hacking most normal businesses, imo, this guy just wanted a power trip and chose MD as his victim.

 

[sleepy-goose]

So our ips huh. Kinda really upset now but thanks.

 

[tristan9]

@Umesan @Anish_Agarwal

The groups that were removed. Were they able to be reinstated?

Of course, should be done already. If you notice a missing one, do let us know.

@Piamette

Before you try and suggest us regular users some methods to "better secure" our accounts -- before you fix those security breaches, even, you should police yourselves.

It might not look like it, and if so let me set this straight, but we take this very seriously. We could have come back up an hour later if we'd wanted, but instead chose to spend almost 24 hours investigating, hardening what holes we might have missed in the past on the security side of things, and devising a plan for the next steps we should take wrt security.

@RogueKitsune

Only suggestion I would like to make is to treat 2FA recovery codes like passwords.

These are definitely getting this treatment from now on, yes.

---

Thank you for all the kind messages. Might not be able to reply to each 1 by 1, but we read and appreciate them.

As for the users pissed off about this happening at all, believe us, we're as pissed, if not more. And we understand and share your frustration. Remember *our* data is part of the breach too. If anything probably on the "spotlight" of it.

We certainly do not take this lightly even if it might be interpreted as such. However:
- We can't fix the past, and had already been busy massively upgrading security as part of the new infrastructure's deployment
- Life must go on, and for this we are planning, and will continue to plan for improvements wrt features as well as security

We are doing our best with the means available to MangaDex at the moment. Things will keep on improving, so please look forward to it.

 

[lunnia]

i resently ran into a site called mangadex.tv if what iv read is right it is a blantenet fake rip off with no official connection to this site, that said could this hack be an attempt to have the fake replace the real?

 

[LERUfic]

thank you
glad to see this site back

 

[Plykiya]

@lunnia fake clones of MD have been around since three years ago, has nothing to do with database hacks. they just try to get high on google results and fool people into entering their credentials onto the site and users are hopefully smart enough to realize that the domain they're on isn't mangadex.org....

 

[MeganeYeyi]

Well thanks for your honesty and work!

 

[Kakadu47]

Thanks to all of you in MD's team for your hard work of fending off repeated shitstorms these last months.

 

[Kazinji]

Like what’s the point of hacking some lonely manga website. 10k btc lol.

 

[Agario]

When I saw a post saying the website was hacked yesterday, I thought it was a joke, but demmm

 

[DIO-Sama]

Is there a way to backup/export our follow list?

Just for backup purposes.

I kinda treasure my follow list, so it would be preferable if there is an option to do so.

It would bring peace of mind if there is an option to do so, as I live in fear of my follow list getting deleted or vandalised everyday.

Spoiler

Also, you should probably prioritize emailing every user about the data breach, it's the right thing to do.

As some nonactive users could actually value there email addresses, creation and last connection IPs, backup 2FA codes, RSS keys, follows, comments, DMs, and etc.

Spoiler

In addition, I can't find the bethesda.net login page (which is worrisome as I don't know if I used my Mangadex password for it).

 

[Maerk]

Swag

 

[parkourse]

dagummit
time to get spammed