MangaDex.org, a scanlation website where fans share pirated copies of manga, has confirmed that its members’ credentials have been stolen.
The website is a very popular place for manga fans and has been rated as the world’s 1,024th-most-trafficked website in March 2021 by Amazon’s Alexa.
The website went offline on March 21, and its maintainers said it had been compromised and that it won’t operations would continue after they performed an upgrade. After the site went offline, they posted a single index.html page that offered occasional updates on the incident.
Before the attack shut it down, the site was already in turmoil over copyright issues and dealt with multiple copyright takedown requests.
In an email to website members on April 22, the site’s admins “have identified that a partial database leak” of member data occurred back in December.
“Investigation on the database has pinned the time of the breach to be around December 2020,” they told, “though given the nature of the leaked database, we are unable to confirm if anything else more recent has been leaked.”
The leaked database contained “MangaDex username, email, bcrypt-hashed password and first & last accessed IP addresses.”
The information has not been made public as of now but is shared privately among people likely for unethical reasons. It is unknown how many people have gotten access to the data.
The March notice about the security breach warned that restoring the website will take some time, because “maintaining MangaDex is nobody’s actual job.”
In an April 6 update, the site’s maintainers detailed work on a new version of the site which would feature a revised architecture and new code. But according to them, that update did not go as smoothly as they hoped.
Website members are advised that if they reuse MangaDex password elsewhere, it’s imperative they changed it in case the hashes are cracked.