The popular movie and series subtitle site, OpenSubtitles announced this week to its users that it had been attacked by a hacker, alerted users on Tuesday, January 18 after the hacker leaked the online database.
In a blog post on their forum, the site team revealed that a hacker contacted them last August via Telegram to inform them that it had access to the data of all users, approximately 7 million, including email and IP addresses, usernames and passwords.
For those who are new to OpenSubtitles, you should know that is a very popular service that offers subtitle files for movies and series. The service is accessible through the domains "opensubtitles.org" and "opensubtitles.com", where it maintains a discussion forum.
According to the administrators messages of the site hackers were able to access the user database in August 2021. Since the operators of OpenSubtitles did not respond to ransom demands, the access data now appears on the Internet. According to the team, the user database comprises just over 6,7 million entries.
The filtered packet contains email addresses, IPs, usernames, users' countries of origin, and passwords in the form of an MD5 hash. The team admits that little has been done to tighten security in recent years, which allowed the attacker to perform a SQL injection after compromising a super administrator's insecure password.
“In August 2021, we received a message on Telegram from a hacker, who showed us that he had been able to access the opensubtitles.org user table and downloaded a SQL dump (a copy of raw data). He demanded a ransom in bitcoins for not disclosing this to the public and promised to delete the data. We hardly accepted, because it was not a small amount of money. He told us how he could get access and helped us fix the error. Technically, he managed to hack a SuperAdmin's insecure password," the team's post reads.
“I had access to an insecure script, which was only available to SuperAdmins. This script allowed him to perform SQL injections and extract the data,” the post said. While none of the hacked data was leaked last August, on January 11, 2022, OpenSubtitles received further correspondence from a “contributor to the original hacker” who made similar requests. The initial hacker could not be contacted for help, and on January 15, the site learned that the data had been leaked online the day before.
The project "Have-I-been-pwned?" recorded the data and added it to the database Search for all public data leaks. This allows users to check if their email address or password has been compromised.
OpenSubtitles said that the credit card information was not compromised.
“The hacker can gain access to user accounts. So you can download subtitles and so on, but you haven't had access to credit card or other data; those are stored outside of our platform,” the site administrator, “OSS,” wrote.
OpenSubtitles describes the hack as a "hard lesson", acknowledging the flaws in its security. So OpenSubtitles has since improved its security by making some changes under the hood.
“The site stored passwords in unsalted md5() hashes, which were replaced by hash_hmac and salted SHA-256,” OSS said. In addition, OpenSubtitles also introduced a new password policy, account lockout after failed login attempts, captcha on password reset, login page and other places.
The most immediate threat is to users who have used the same email address and password combination on other sites. An attacker could thus access third-party accounts. Also, it could be a problem for OpenSubtitles users who frequent portals with the same credentials.
That is why if any of our readers are frequent visitors, it is recommended that they change their password in the openSubtitles.org and openSubtitles.com domains.