Forum rules
Under no circumstances is spamming or advertising of any kind allowed. Do not post any abusive, obscene, vulgar, slanderous, hateful, threatening, sexually-orientated or any other material that may violate others security. Profanity or any kind of insolent behavior to other members (regardless of rank) will not be tolerated. Remember, what you don’t find offensive can be offensive to other members. Please treat each other with the kind of reverence you’d expect from other members.
Failure to comply with any of the above will result in users being banned without notice. If any further details are needed, contact: “The team” using the link at the bottom of the forum page. Thank you.
User avatar
oss
Site Admin
Posts: 5878
Joined: Sat Feb 25, 2006 11:26 pm
Contact: Website

We have been HACKED

Tue Jan 18, 2022 2:34 pm

Hi all OpenSubtitles users,

What happened

We have some bad news... we have been hacked.

In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it.

He asked for a BTC ransom to not disclose this to public and promise to delete the data.

We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.

He gained access to all users data - email, username, password...He promised the data would be erased and he would help us secure the site after the payment.

The site was created in 2006 with little knowledge of security, so passwords were stored in md5() hashes without salt :( It means, if you used strong password (lets say at least 10 characters with lowercase, uppercase, number and special characters) you should be safe, but short easy passwords, specially if they are in the english dictionary can rather easily be extracted from these data.

Most users didn't use these strong passwords, it means, hacker can get access to user accounts. So he can download subtitles and so on, he didn't gain access to any credit card data or so - these are stored outside of our platform.

What you should do

- change opensubtitles.org and opensubtitles.com and forum password (we are requesting this)
- if you used opensubtitles.org password somewhere else, change it as well, specially important for emails and services where you have any payments and personal details

What we should have done

It is hard lesson for us. It is kind of amazing, that the site was hacked now, after 15 years - so that hacker must have spent quite a lot of time and energy on it. First of all, if a site is hacked, there should be minimal talk with hacker, if he promise something - it means in reality nothing as we learned in hard way. We should have spent more energy on securing the site and kick out the old md5() without salt passwords long time ago.

What we actually have already done

The site SHOULD be more secure now, we improved the way users are connecting to the site, the accounts will be locked after some successful logins, we introduced new password policy, we removed session info from table, IP should not be spoofable anymore, Captchas on login, register, password-reset, CSRF on forms, requests will be cancelled if admins change their IP during session, user passwords are saved in safe form using hash_hmac and sha256 algo with salt and pepper, all md5() passwords are deleted. For IT geeks - yes, we are using password_hash(), with peppered sha256 password, BCRYPT and for verification password_verify()

Note that our new site, opensubtitles.com was built with stronger security concerns, and already included all the points described above.

Last words

Accept our humble apologies, as you can see a hack can occur at any moment, and there is nothing much that you can do, even paying a ransom doesn't guarantee your safety. Please don't use the same passwords across different projects - that's the biggest possible mistake you can do.

If you didn't change your password yet, please do it now - use different password than before:

Reset password on www.opensubtitles.org
(please make sure you insert your valid opensubtitles.org email, you receive email, where is confirmation link - you need to click on it. Then you can use new temporary password which is in the same email)

Reset password on www.opensubtitles.com

Reset password on forum.opensubtitles.org

If you are not using some password manager, it can be a good time to consider it, they'll help you switch to using long and complex passwords, notify you of security issues, manage 2FA, and access your passwords from all your devices with the only need to remember one master password (or have it linked with your fingerprints or other) List of best password managers

We are in contact with Troy Hunt, if you are not using HaveIbeenPwned service, it is about time.

We will become members of HackTrophy to avoid similar attacks in future, it is better to deal with white-hat hackers.

This post will be updated over time to add some important information.

19th Jan 2022 UPDATE
- when updating your password, please wait for email and don't send another email, otherwise it can create problems - we are using ONE confirmation string per User, so when you create second request for password change and you will receive email from first password change, you will get error. So request password just one time, wait and please check also your email spam

- when you try to reset your password and system write you "email not found" - then please make new registration. We changed encoding of data table and there was some shadow duplicates and some user accounts are just gone (few of them)

- OpenSubtitles UPLOADER stopped working - I contacted developer, he need to release and update, there is nothing else I can do

- if you really can not reset your password (it can be, that your email is blocking our email and need some human confirmation), then you can contact us

- the breach occurred in august last year, but the data were only leaked last friday

- of course this is not an excuse, but there's more and more hackers, getting more and more creative and greedy, just as active against big businesses as small ones. If companies like microsoft, facebook, twitter, nintendo or zoom can get hacked, what are our chances as a tiny team to not end up getting attacked ?

20th Jan 2022 UPDATE
- some of API programs used MD5() passwords to communicate with API, read here more viewtopic.php?f=11&p=46892#p46892
- replying to hundreds of emails
- working on better password reset system as pointed in comments
- OpenSubtitles.org is END OF LIFE project - we are moving completely to www.opensubtitles.com ASAP (which can take 1 year:)

21th Jan 2022 UPDATE
As some user pointed in this thread, sending plaintext password is not so good idea, so we completely changed password reset system, there is no more password in plaintext in emails, only password reset links.

mikimik7
Posts: 7
Joined: Sun May 13, 2018 12:30 am

Re: We have been HACKED

Tue Jan 18, 2022 3:36 pm

It's impossible to log in at opensubtitles.org with my new or the old password. An I doing something wrong?

User avatar
Funchalense
Site Admin
Posts: 883
Joined: Sun Aug 03, 2014 8:09 pm

Re: We have been HACKED

Tue Jan 18, 2022 3:42 pm

It's impossible to log in at opensubtitles.org with my new or the old password. An I doing something wrong?
You tried this? : Reset password on www.opensubtitles.org

(please make sure you insert your valid opensubtitles.org email, you receive email, where is confirmation link - you need to click on it. Then you can use new temporary password which is in the same email)

mikimik7
Posts: 7
Joined: Sun May 13, 2018 12:30 am

Re: We have been HACKED

Tue Jan 18, 2022 3:51 pm

Thanks for the info. I made it now!

User avatar
Noobz4Life
Posts: 19
Joined: Sat Sep 11, 2021 4:21 pm
Location: Finland

Re: We have been HACKED

Tue Jan 18, 2022 4:02 pm

Was wondering why site requested password change. Came straight into forums and damn. There really isn't any safe place from hackers these days =(

GhostRider1977
Posts: 5
Joined: Fri Jun 28, 2019 10:08 am
Location: Italy

Re: We have been HACKED

Tue Jan 18, 2022 5:06 pm

Hi. I can't change my password on opensubtitles.org. When I enter my e-mail address in order to get a new password it says "Wrong e-mail address". What should I do?

UsenetAlias
Posts: 11
Joined: Fri Sep 24, 2021 12:10 pm

Re: We have been HACKED

Tue Jan 18, 2022 5:44 pm

It keeps saying: "An Unknown error has occurred" after I use the link in the mail after "forgot password".

os_dev
Posts: 194
Joined: Wed Oct 17, 2018 3:42 pm

Re: We have been HACKED

Tue Jan 18, 2022 6:21 pm

note, since we are forcing to reset password on opensubtitles.com and opensubtitles.org, it'll really help if you mention on which site your problem occur..

UsenetAlias
Posts: 11
Joined: Fri Sep 24, 2021 12:10 pm

Re: We have been HACKED

Tue Jan 18, 2022 6:42 pm

opensubtitles.org, the one I like tu use :)
I use the link in the message received and then get that error.

Link with error = opensubtitles.org/nl/confirm/type-fp/a-1a20ffe0f56a91b306d4440e631884a1

doglover3920
Posts: 10
Joined: Sat Sep 08, 2018 1:47 pm

Re: We have been HACKED

Tue Jan 18, 2022 8:07 pm

Cannot log in anymore with OpenSubtitles Uploader after changing my password.
I am sure I am using the new password.

Says 401 Unauthorized

krikke68
Posts: 5
Joined: Mon Jan 21, 2019 10:51 pm

Re: We have been HACKED

Tue Jan 18, 2022 8:15 pm

My OpenSubtitles Uploader doesn't work anymore with my new password.
I'm getting the "401 Unauthorized" error.
Anyone else with the same problem?

User avatar
oss
Site Admin
Posts: 5878
Joined: Sat Feb 25, 2006 11:26 pm
Contact: Website

Re: We have been HACKED

Wed Jan 19, 2022 5:10 am

@UsenetAlias - please reset your password, click one time on forgotten password, write email there and wait until email arrives. If you will do it twice, the first email will not work and you can encounter this error. If you can not reset your password for some reason, write us PM

@GhostRider1977 - if it can not find your email address, just make new registration.

for OpenSubtitlesUploader I contacted developer, he is using a bit more secure login, but it stop working, because we get rid of of md5 hashes (which his application sends). Now we will wait for update from his side.

User avatar
MitchTalmadge
Posts: 1
Joined: Wed Jan 19, 2022 7:49 am

Re: We have been HACKED

Wed Jan 19, 2022 8:07 am

Using a password manager is what stops a hack like this -- which only compromises your work in subtitling -- from becoming detrimental to other areas of your life, like your bank or utilities.

If you use the same 2 or 3 passwords everywhere because they're easy to remember or you can't come up with new ones, then people with access to hacked data from a site like this can easily gain access to many of your other accounts. Figuring out a short password from an MD5 hash, especially with no salt, is very easy these days.

Use a password manager. Most of them are free. I like Enpass. My friends use LastPass. Others use DashLane. Some who prefer open source use KeePass. It doesn't matter what you use -- just use it. Stop having the same password for everything. You can get these things on your computer, your web browser, your phone, your iPad, even your smart watch. They can auto-fill so you never have to do anything or remember anything.

It took me 30 seconds to sign up for this account -- the exact same amount of time that it would take to sign up using a password from memory -- yet I don't personally know my password at all. It's safely secured in my password manager, synced with all my devices, and ready for use whenever I need it -- and I never have to know it. It's over 20 characters long, with > 150 bits of entropy, and it's almost certain that even if an un-salted MD5 hash of it were to be leaked, it could not be cracked in my lifetime.

Use a password manager. Stop putting it off. Take a weekend, pick a password manager, put all your passwords into it, and start changing them everywhere. Do it before it is too late.

bogd
Posts: 4
Joined: Wed Jan 19, 2022 8:45 am

Re: We have been HACKED

Wed Jan 19, 2022 8:54 am

It appears that you still have some work to do on the security side...

The opensubtitles.org password reset link is... problematic. For the following reasons:
1. The message is different, depending on whether the email address entered corresponds to a valid account or not (allowing a potential attacker to figure out if a specific email corresponds to an account)
2. There is no validation of the request. Once somebody enters a valid email, that account's password is reset and emailed to the associated address. (allowing a potential attacker to reset anyone else's password)

Together, these two allow just about anyone to reset anyone else's password. While not a high risk (without access to the victim's email, the attacker should not be able to get the victim's password), it can still be incredibly annoying for the victim...

Consider implementing a system similar to what you already have on the forum password reset link:
1. The printed message is exactly the same, regardless of whether the entered email corresponds to a valid account or not
2. Email out a password reset link, and ONLY reset the password after that link is accessed (thereby validating that the reset request came from the owner of the email/account).

tatolino
Posts: 1
Joined: Wed Jan 19, 2022 9:34 am

Re: We have been HACKED

Wed Jan 19, 2022 9:44 am

Well, it happens... maybe next time don't let 5 months pass by before telling us we should change our passwords, you could have easily reset everyone's passwords and sent a notification, after fixing the database's security issue :)

Return to “General talk”

Who is online

Users browsing this forum: Google [Bot] and 31 guests