OpenSubtitles is the largest subtitle download website on the Internet, and thanks to its large database and API, also the most used service for downloading subtitles with third-party tools and players like Kodi and Plex. Thus, it is particularly worrying what has happened to them.
According to their forums, OpenSubtitles has announced that it was hacked last August, and that it paid the amount requested so that the attack would not be known and all the data obtained would be erased. They affirm that it was difficult for them to pay, because it was not a small amount of money. The problem is that it was not there.
The data of almost 7 million users, exposed
This is the official statement from the administrators:
In August 2021, we received a message on Telegram from a hacker, who showed us evidence that he was able to gain access to the opensubtitles.org user table and downloaded a SQL dump.
He asked for a BTC ransom not to release this to the public and promised to delete the data.
We hardly agreed, because it was not a small amount of money. He explained to us how he could get access and helped us correct the error. On the technical side, he was able to hack a SuperAdmin’s low-security password and gain access to an insecure script, which was available only to SuperAdmins. This script allowed you to perform SQL injections and extract the data.
According to the company, the responsibility for something like this to happen is the low security of the SuperAdmin password of one of the administrators. As always, it doesn’t matter much to have a very secure system if the human part fails. And here everything has failed. It didn’t matter that they paid him, as 6.7 million user emails, passwords, IP addresses and locations had already been exposed. Of course, they assure that they did not have access to bank card numbers.
Unlike what happens on other occasions, passwords were stored in unsalted md5 hashes, so today they are easily ascertainable. After announcing the breach, OpenSubtitles have taken steps to harden the password, requiring it to be reset to log back into the site, and increasing security by using hash_hmac and sha256 with salt and pepper. Also, they have removed all md5 passwords.
If you want to check if your email and password were in the hacked database, just go to Have I Been Pwned? and enter your email, since OpenSubtitles has already sent them the data. To realize the seriousness of these gaps, from Have I Been Pwned they affirm that the 75% of exposed emails were already in your databasefrom previous hacks.