A website that hosts free manga comics has been taken offline after malicious hackers allegedly gained access to a database that housed user data.
The MangaDex site was taken down for maintenance last week (March 20) after an unknown actor gained access to an administrator account.
The site’s maintainers said the attacker was able to access the account through “the reuse of a session token found in an old database leak through faulty configuration of session management”.
After taking control of the account, they claim to have accessed user data.
Although MangaDex said its investigations had “yet to confirm” that a data breach occurred, it said it was working on the assumption that it did take place.
Planned shut down
After gaining a foothold, the attacker contacted users via email claiming that MangaDex has a series of security flaws.
Maintainers, who work on the site on a voluntary basis, patched two of three vulnerabilities but are still looking to identify the third vulnerability with the help of security researchers.
After the breach, we started spending many hours reviewing the code for possible further vulnerabilities, and started to patch what we could find to the best of our capabilities.
This ran parallel to us opening the site after the breach, as we had incorrectly assumed that the attacker would not be able to gain further access.
However, as a precaution, we had started rolling out monitoring of our infrastructure and had remained vigilant in the event the attacker returned.
A message posted on the website homepage informing users of the security incident
Password reset
Users have been warned that they should change their passwords in the event of a potential data breach stemming from this incident.
The website will remain offline until security features have been updated, before a “barebones” version is made available.
Maintainers also said that they will be launching a bug bounty program for the site in the future.
The Daily Swig has reached out to MangaDex for more information about its proposed security updates.