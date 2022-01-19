Screenshot : OpenSubtitles / Gizmodo

6,783,158 emails, usernames, passwords, IP addresses and geographic locations have been exposed in a hack to OpenSubtitles, a popular website for downloading subtitles for series and movies.

According a message posted on the community forum, a hacker gained access to all user data in August 2021. The attacker then demanded a ransom from site administrators via Telegram, promising to delete all data afterwards. of a Bitcoin payment.

OpenSubtitles agreed to pay the sum, which “was not small”, and the hacker told them how he had done it. First, you gained SuperAdmin access thanks to a low-security password. With that level of privilege, he accessed a vulnerable script that allowed him to perform SQL injections and extract all the data.

OpenSubtitles was created in 2006 with little attention to security, so all passwords were stored in unsalted md5 hashes. This means that passwords of less than 10 characters without numbers or symbols (the vast majority) were easily cracked by cracking algorithms. Luckily, there were no credit card numbers stored.

The site’s administrators acknowledge that they should have improved the security of their platform “a long time ago”, and ask all users to change their passwords on opensubtitles.org and opensubtitles.com, as well as on other websites where they repeat passwords.

To check if you are one of the nearly 7 million affected by the hack, visit haveibeenpwned.com and enter your email in the search engine. This website has obtained the filtered emails from the hand of OpenSubtitles.

You can reset the OpenSubtitles keys via these links:

The site has improved its security with several measures. A new password policy has been implemented, session information has been removed from the data table, IPs should no longer be spoofable, captcha will be required to login, register, reset password, etc. And now, user passwords are safely stored using hash_hmac and sha256 with salt and pepper. All md5 passwords have been removed.