The hugely popular Manga comics platform Mangatoon has fallen victim to a data breach. No fewer than 23 million user accounts could be at risk, thanks to a poorly secured database. Worse still, Mangatoon doesn’t seem to be responding to messages from the breacher, or people notifying it that the breach has taken place.
A limited edition run of exposed accounts
Mangatoon allows comics fans to read a variety of web comics for free via the app, with the option to “unlock” whole comics for a fee. Unfortunately for Mangatoon, its Elasticsearch database was compromised leading to several attempts to get its attention.
No response was forthcoming by email or even social media. While it’s possible everyone involved is too busy fixing the problem, the complete lack of a reply is concerning.
Checking for exposure
The breach data, which occurred in May, has been loaded into popular breach checking service Have I been pwned.
You can search for your email address on that site, and if your mail is tied to any data breaches (not just Mangatoon), the site will let you know which sites, what data, and when it was breached.
Password disasters of our time
The 23 million or so accounts have been exposed purely because of bad password management. All of this data was, incredibly, sitting behind the “password”.
Mangatoon changed the password after the system breacher notified it. However, no customers have been notified and anyone unaware would think everything is currently business as usual. The truth is that things couldn’t be further from the case. Are there other, similarly poorly secured databases? Has the password been changed to something that isn’t “password123”?
Elasticsearch makes use of a variety of security features for all manner of configurations, so will Mangatoon be making use of these in future?
So many unanswered questions in a situation such as this isn’t massively reassuring.
Lock down your databases
Poorly secured Elasticsearch databases are juicy targets for those up to no good. At least 450 ransom notes were discovered demanding payment in return for files found on Elasticsearch databases back in June of this year. Sadly for anyone paying up to recover the stolen files, there’s a good chance the attackers had already deleted them. This is, of course, a valuable reminder to back up your data.
This is especially true considering Elasticsearch sits alongside both Redis and MongoDB as some of 2022’s top exposed databases.
If you use Mangatoon you should change your password to your account now. If you’ve used the same username and password combination on other accounts, you should change those too.