The most popular subtitles website OpenSubtitles was compromised by an attacker. In their forum post, site admin OSS revealed that a hacker contacted them back in August 2021 via Telegram and provided confirmation that he had access to user data.
OSS said that they didn’t have much knowledge about security when OpenSubtitles was launched back in 2006. Also, not much was done to beef up the security in the later years, which allowed the attacker to perform SQL injection after compromising the low-security password of a SuperAdmin.
The SQL dump downloaded by the attacker included usernames, passwords, and emails, but no credit card details were compromised as they are stored on a different platform. However, Have I Been Pwned also reveals that the data dump contained the IP addresses and country of the user as well.
OpenSubtitles hacked: The horror story!
Back in August, the attacker demanded a hefty ransom in Bitcoin for not disclosing the attack. They promised that they would help OpenSubtitles close the security loopholes and delete the data dump. All of these turned out to be fake promises. Money was paid and OpenSubtitles was left with nothing but a lighter bank account.
After learning a “hard” lesson from the cyberattack, OpenSubtitles has since improved security by making some under-the-hood changes. The site was storing passwords in md5() hashes without salt which has now been changed to hash_hmac and SHA-256 with salt and pepper, OSS said.
OpenSubtitles has also introduced a new password policy, locking accounts after unsuccessful login attempts, captcha on password reset, login page, and other places.
While fan-made subtitles are illegal in most cases, people rely on them to watch content in a different language. If you are a frequent visitor, it’s recommended to change your password on OpenSubtitles.org and OpenSubtitles.com domains.
One thing to note is that IP and email addresses are part of the data dump, according to HIBP. This could be a concern for OpenSubtitles users who also frequent pirate portals and use the same credentials.
Now, many people tend to repeat their passwords in different places which can bring bad consequences. Here, you can take the help of a good password manager app that will remember all the credentials and store them in encrypted form.