TV and movie subtitles website OpenSubtitles has instructed users to re-secure their accounts after sending them their passwords in plaintext.
The website, which allows users to download closed captions of their favorite movies in various languages, was subject to a data breach in August 2021, after an unknown attacker gained access via an SQL injection attack.
This incident only came to light last week, when web admins disclosed details of the breach on the OpenSubtitles forum.
The site owners took steps to secure user accounts by asking them to reset their passwords – however, in a further security oversight, they sent victims their new passwords in plaintext.
“As some user pointed in this thread, sending plaintext password is not so good idea, so we completely changed password reset system, there is no more password in plaintext in emails, only password reset links,” the admins admitted in a forum thread.
The incident
The OpenSubtitles data breach occurred in August 2021, when website admins received a message on Telegram from someone who said they could gain access to the user table of opensubtitles.org and download an SQL dump from it.
According to the web admins, the attacker demonstrated how they were able to gain access to usernames, email addresses, and passwords.
A forum post read: “[The hacker] explained us how he could gain access, and helped us fix the error.
“On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.”
The website owners admitted that the site was created in 2006 “with little knowledge of security”, meaning that passwords were stored in MD5 hashes without being salted.
If an account holder used strong password they should be safe, but short easy passwords, could rather easily be extracted from these data.
“Most users didn’t use these strong passwords,” explained the post. “It means [a] hacker can get access to user accounts. So, he [the hacker] can download subtitles and so on.”
They added that the attacker did not gain access to any payment information, which is stored outside of its platform.
Security forward
OpenSubtitles has now employed further security measures, according to the forum post, including introducing a new password policy, removing session information from the table, introducing Captchas on login, and storing user passwords in a safe form using hash_hmac and SHA-256 algorithms with salt and pepper.
“For IT geeks – yes, we are using password_hash(), with peppered sha256 password, BCRYPT and for verification password_verify(),” admins concluded.
Source: https://portswigger.net/daily-swig/opensubtitles-data-breach-users-asked-to-re-secure-accounts-after-plaintext-password-snafu
