Jump to content
Login new information ×
Login new information
  • Security & Privacy News

    OpenSubtitles Hacked, 7 Million Subscribers’ Details Leaked Online

    Karlston

    By Karlston,
    Published Date:

    • 3 comments
    • 833 views
    • 4 minutes
     Share
    • 3 comments
    • 833 views
    • 4 minutes

    OpenSubtitles, one of the largest repositories of subtitle files on the internet, has been hacked. Founded in 2006, the site was reportedly hacked in August 2021 with the attacker obtaining the personal data of nearly seven million subscribers including email and IP addresses, usernames and passwords. The site alerted users yesterday after the hacker leaked the database online.

     

    OpenSubtitles is one of the largest and most popular subtitle repositories on the Internet. Millions of subtitle files are downloaded every week in many languages, often to be paired with downloaded movies and TV shows.

     

    The site was founded in 2006 by a Slovakian programmer who came up with the idea while drinking a few beers at a local pub. Following an announcement late yesterday, more beers might be needed to cope with an emerging crisis.

    OpenSubtitles Hacked, Millions of Subscribers’ Details Exposed

    In a post to the OpenSubtitles forum, site administrator ‘oss’ reveals that the site – which has millions of members – has been hacked. Apparently the development isn’t new either.

     

    “In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it. He asked for a BTC ransom to not disclose this to public and promise to delete the data,” the post reads.

     

    “We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.”

    Hacker Gained Access to All User Data

    According to ‘oss’, the hacker gained access to email addresses, usernames and passwords, but promised that the data would be erased after the payment was made. That promise was not kept.

     

    While no member data was leaked last August, on January 11, 2022, OpenSubtitles received new correspondence from a “collaborator of the original hacker” who made similar demands. Contacting the original hacker for help bore no fruit and on January 15 the site learned that the data had been leaked online the previous day.

     

    Indeed, searches on data breach site Have I Been Pwned reveals that the database is now in the wild, containing all of the data mentioned by OpenSubtitles and more.

     

    “In August 2021, the subtitling website Open Subtitles suffered a data breach and subsequent ransom demand. The breach exposed almost 7M subscribers’ personal data including email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes,” the site reports.

    Measures Taken By OpenSubtitles

    OpenSubtitles describes the hack as a “hard lesson” and admits failings in its security. The platform has spent time and money securing the site and is requiring members to reset their passwords. However, for those who have had their data breached, it may already be too late to prevent damage.

     

    The hacker has already had access to data for several months and now the breach is in the wild, problems could certainly escalate. Those with exceptionally strong passwords may be safer than those who chose an easy-to-guess option but according to OpenSubtitles, the former are in the minority.

    Threats to OpenSubtitles Members

    Perhaps the most immediate threat concerns users who used the same email address and password combination on other sites. With these in the wild, an attacker could breach third-party accounts so immediately changing these credentials should be a priority for those affected, perhaps with the use of a password manager service such as 1Password.

     

    Another concern for OpenSubtitles users is that many are likely to be members of pirate sites. If they used the same credentials on those then that is clearly an issue but if the report from Have I Been Pwned is correct, their email addresses can now be matched with their IP addresses too.

     

    Only time will tell if that will prove of interest to third parties but in privacy terms the situation is certainly not optimal. OpenSubtitles has been officially labeled as a pirate service in a number of regions and courts around the world including those in Australia, Greece, and Norway have ordered the platform to be blocked by ISPs.

     

    Further information on the breach and actions to be taken can be found here

     

     

    OpenSubtitles Hacked, 7 Million Subscribers’ Details Leaked Online

     Share
    Go to news

    User Feedback

    Recommended Comments

    • Administrator
    DKT27
    • Administrator

    Really concerning this. Many media player softwares and apps too rely on this site to get subtitles.

     

    However, I opened this site to check and I am surprised that the search - so is download for that matter, feature does not work without registration and logging in. If you force users to create an account to download subtitles, then it is not a surprise that a lot of accounts will get in open if hacked.

     

    Two major mistakes were made by them though. First being bad admin password and second one being unsalted hashing of user passwords. You cannot claim to be a big site and do this. They even have a paid ViP account feature that helps them earn things so even that part should not be an issue I think.

    • vissha, Mr Warez and Karlston
    • Like 3
    Link to comment
    Share on other sites
    flash48

    Much thanks.  I just checked  my email address which i use for this site and it was pwned.  Upon further checking I discovered I was also using the same login details for two other web sites! Needless to say I quickly changed my passwords for the two compromised logins.   Thanks again Karlston,

    • vissha, DKT27 and Karlston
    • Like 3
    Link to comment
    Share on other sites
    xxvv
    Spoiler
    Quote

    19th Jan 2022 UPDATE


    - when updating your password, please wait for email and don't send another email, otherwise it can create problems - we are using ONE confirmation string per User, so when you create second request for password change and you will receive email from first password change, you will get error. So request password just one time, wait and please check also your email spam

    - when you try to reset your password and system write you "email not found" - then please make new registration. We changed encoding of data table and there was some shadow duplicates and some user accounts are just gone (few of them)

    - OpenSubtitles UPLOADER stopped working - I contacted developer, he need to release and update, there is nothing else I can do

    - if you really can not reset your password (it can be, that your email is blocking our email and need some human confirmation), then you can contact us

    - the breach occurred in august last year, but the data were only leaked last friday

    - of course this is not an excuse, but there's more and more hackers, getting more and more creative and greedy, just as active against big businesses as small ones. If companies like microsoft, facebook, twitter, nintendo or zoom can get hacked, what are our chances as a tiny team to not end up getting attacked ?

     

    20th Jan 2022 UPDATE


    - some of API programs used MD5() passwords to communicate with API, read here more viewtopic.php?f=11&p=46892#p46892
    - replying to hundreds of emails
    - working on better password reset system as pointed in comments
    - OpenSubtitles.org is END OF LIFE project - we are moving completely to www.opensubtitles.com ASAP (which can take 1 year:)

     

    21th Jan 2022 UPDATE


    As some user pointed in this thread, sending plaintext password is not so good idea, so we completely changed password reset system, there is no more password in plaintext in emails, only password reset links.

    Source: 

     

     

    Link to comment
    Share on other sites


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...