What you need to know about the recent MangaDex data breach

Status
Not open for further replies.
Joined
Jul 1, 2018
Messages
1
Regarding privacy implications, MangaDex history only stores the last 10 manga you read, the most recently read chapter of each, and the exact time you read it, BUT it also stores the last 10 hentai in a separate history. You can see your complete history record by switching between hentai-only and no-hentai view.

So, for example, if you read One Punch Man chapter 1, 3, and 2 in that order, the history will only record that you read One Punch Man volume 2, and the date/time you read it. Once you read 10 more non-hentai manga, the history forgets you ever read One Punch Man. However, hentai is tracked separately, so if you read a hentai, history will remember it until you read 10 more hentai. In retrospect, perhaps the site should have a disable history function.

If you follow a manga, it also remembers every chapter you read (the eye icon next to each chapter in the list). Unfollowing a manga gives a warning that it will remove all read markers, but this feature appears to be currently non-functioning, perhaps due to ongoing improvements. You can still manually click the icon beside each chapter to mark it as unread. This won't affect the history page.

Passwords are hashed with bcrypt with cost 10 and a random salt. This is the current PHP default, and it's pretty reasonable. A high-end PC could crack about 3,500 such passwords per day, meaning that you really need to change your password if it's common or short. It's a good idea to change it anyway. In general, it's a good idea to use a unique password for every site, because you can't always be sure when a site has been hacked. Good job to the admins for keeping the users informed.
 
Fed-Kun's army
Joined
Jan 18, 2018
Messages
812
Thank you for all the hard work! I appreciate everything that you do for mangadex; this transparency is an icing on top haha. Thanks again!
 
Group Leader
Joined
Dec 28, 2019
Messages
24
Eh, nothing too bad, since it was hashed and salted and all the sessions are now invalidated. Here in Germany a Covid Test Company had a data leak with test results from 80.000 people with name, birthday, adress and ID number... So nothing too bad here. Thanks for the transparancy
 
Member
Joined
Oct 12, 2019
Messages
20
Keep up the good work guys, don't let this get you down.

Getting hacked is almost a rite of passage when small websites get large and famous.

It could of been a lot worse, but you guys prevailed.
 
Joined
Mar 23, 2020
Messages
31
Really sorry to hear about all this, but thanks to the MD staff for dealing with it and being honest.

I do have some questions though. First of all, the hacker exploited the remember me function right? I'm pretty sure I've never actually used that function, so does that mean my data was any less vulnerable?
Also, if/when the DB gets leaked, what is the possible damage it could do/worst case scenario? Skimming through all the comments it seems most likely the emails will just get spammed, but is there anything else to worry about?

Sorry if these are naive questions, I don't really know much about hacking.
 
Joined
Feb 6, 2021
Messages
1
alright, so genuine question - what could they possibly do with my email account? send me spam? i get why i wouldn't want them to have my password (if it was a password i used on other sites) but what good would knowing my email address do for anyone?
 
Member
Joined
Feb 25, 2018
Messages
8
@IndigoNight

If you never used remember me that means that the hacker couldn't have signed into your account on the live version of MangaDex. That is mostly a nonissue since only accounts with privileges gave the hacker anything.

As for the DB leak there's also the password that you used that would get leaked in a hashed format. That means that they can't directly see what your password is, but it is still good to change your password here and on any other sites that use the same password, just in case.

Another result that will understandably bother some people is that their email will be connected to the data from MangaDex, including read history, follows, etc. There might not be any further consequences, but it is a breach to your privacy.
 
Joined
Apr 28, 2020
Messages
2
@kafka No i switched to the v2 but now it keep sending me 404

edit: now i know the url switched from "mangadex.org/api/v2" to "api.mangadex.org/v2". Sorry for the inconvenience :(
 
Member
Joined
Dec 21, 2018
Messages
166
I think there is an issue with Chrome. I wasn't getting the password reset email at all. Then I finally decided to switch to Firefox and received the password reset email right away.
 
Status
Not open for further replies.

Users who are viewing this thread

Top