A manga fansite has been hacked forcing the owners to rebuild the codebase. Attackers have gained access to a database that housed user data, according to a notice posted on the website.
MangaDex, a website that hosts free manga comics, was taken down for maintenance until further notice.
The site’s maintainers said an unknown actor gained access to an administrator account using “a session token found in an old database leak through faulty configuration of session management”.
Although the site’s maintainers have “yet to confirm” that a data breach occurred, they are working on the assumption that it did take place.
“We started spending many hours reviewing the code for possible further vulnerabilities, and started to patch what we could find to the best of our capabilities. …As a precaution, we had started rolling out monitoring of our infrastructure and had remained vigilant in the event the attacker returned,” a message posted on the website homepage reads.
After hacking into an admin account, the attacker sent emails to users claiming that MangaDex had security flaws and alerting about data leak: “MangaDex has a DB leak. I suggest you tell their staff about it.”
“Following that event, we moved to identify the vulnerable section of code and worked to patch it up, also clearing session data globally to thwart further attempts at exploitation through the same method.”
Volunteer maintainers patched two of three reported vulnerabilities and are looking into the third one with the help of security researchers.
Website owners urged the users to change their passwords.
And also announced they would be launching a bug bounty program for the site.