Forum rules
Under no circumstances is spamming or advertising of any kind allowed. Do not post any abusive, obscene, vulgar, slanderous, hateful, threatening, sexually-orientated or any other material that may violate others security. Profanity or any kind of insolent behavior to other members (regardless of rank) will not be tolerated. Remember, what you don’t find offensive can be offensive to other members. Please treat each other with the kind of reverence you’d expect from other members.
Failure to comply with any of the above will result in users being banned without notice. If any further details are needed, contact: “The team” using the link at the bottom of the forum page. Thank you.
uffe66
Posts: 1
Joined: Wed Jan 19, 2022 9:43 am

Re: We have been HACKED

Wed Jan 19, 2022 9:59 am

It's impossible to log in at opensubtitles.org with my new or the old password. An I doing something wrong? i have tri to make a new password and log in with that, but the same isure no acces

User avatar
vankasteelj
Posts: 175
Joined: Sun Nov 15, 2015 1:09 am

Re: We have been HACKED

Wed Jan 19, 2022 10:08 am

OpenSubtitles-Uploader has been updated, the new binaries can be found at https://github.com/vankasteelj/opensubt ... /tag/2.6.0

Note that if you're on an unsupported platform (Linux 32 bits, Windows XP) and have a locally installed version, you might want to manually make these changes: https://github.com/vankasteelj/opensubt ... 92752bb34e

emsixteen
Posts: 1
Joined: Wed Jan 19, 2022 10:20 am

Re: We have been HACKED

Wed Jan 19, 2022 10:22 am

When resetting my password I received the new password in plaintext in the email. This is a massive, massive red flag - No secure system should ever be able to do this.

User avatar
oss
Site Admin
Posts: 5879
Joined: Sat Feb 25, 2006 11:26 pm
Contact: Website

Re: We have been HACKED

Wed Jan 19, 2022 10:25 am

@emsixteen - it is generated password, which is valid ONLY if you click on confirmation link. That password should be changed later after login. But if someone have access to your email, then it doesn't matter...

os_dev
Posts: 194
Joined: Wed Oct 17, 2018 3:42 pm

Re: We have been HACKED

Wed Jan 19, 2022 10:26 am

Well, it happens... maybe next time don't let 5 months pass by before telling us we should change our passwords, you could have easily reset everyone's passwords and sent a notification, after fixing the database's security issue :)
so there's a little confusion here.

nothing was leaked in august, we followed the hackers request, secured our services, hired an extra sysadmin, ran extra audits.

then on january 11th we received the same request, from the same data breach, but from what seemed to be a collaborator of the original hacker, we contacted the first hacker who promised he'll solve the issue for us, but he didn't.

the data seems to have been leaked on the 14th january, we heard of it on the 15th, rushed to lock all accounts and setup the force change password strategy, posted here on the 18th.

yeah we messed up, we got scammed and screwed, lost months of revenue to try and avoid the leak for nothing, but it's not like we did nothing in 5 months...

nilleftw
Posts: 2
Joined: Wed Jan 19, 2022 10:22 am

Re: We have been HACKED

Wed Jan 19, 2022 10:27 am

To the people who can't log in with the new password:
Make sure you're clicking on the confirmation URL that's in the same email as your new password. I missed this at first.

To Opensubtitles, you should really consider improving your password reset also. The password is sent unencrypted in plain text in the email. You should really be directing the users to a password reset on the website. All passwords that has been sent out should be considered busted, and changed. The email even says "You can change your password after you log in." not, "you should".

os_dev
Posts: 194
Joined: Wed Oct 17, 2018 3:42 pm

Re: We have been HACKED

Wed Jan 19, 2022 10:33 am


2. Email out a password reset link, and ONLY reset the password after that link is accessed (thereby validating that the reset request came from the owner of the email/account).
little confusion here, the new password is sent by email, but only activated if the user validates the change by clicking on the link in the email. so as long as the hacker didn't get access to the user email, he can't change the password.

so... if the hacker got access to a user email, there's no much you can do, when that happens a hacker can just use the "forgot password" on any site where the user was registered, if he didn't have a 2FA authentication the hacker can change the password, access the account, change the email address, and then there's really nothing you can do.... (it can, and does happen to a lot of people on their paypal, facebook, or any services containing much more important informations)

TieT
Posts: 4
Joined: Wed Jan 19, 2022 10:35 am

Re: We have been HACKED

Wed Jan 19, 2022 10:38 am

You fucked up ? Well that's a MASSIVE understatement dont you think ??
Password stored as UNSALTED MD5 hashes ?? REALLY ???

GO hire a fucking security guy and get your shit in order, It's 2022 and still you guys think this is OK ?
Damn I'm pissed

os_dev
Posts: 194
Joined: Wed Oct 17, 2018 3:42 pm

Re: We have been HACKED

Wed Jan 19, 2022 10:45 am


To Opensubtitles, you should really consider improving your password reset also. The password is sent unencrypted in plain text in the email. You should really be directing the users to a password reset on the website. All passwords that has been sent out should be considered busted, and changed. The email even says "You can change your password after you log in." not, "you should".
it is true, but please understand it is a bit tricky to implement on the old code base of opensubtitles.org

but that's the whole idea of rebuilding the site to make opensubtitles.com, where all of these things are solved and consolidated. (building right now a system that won't let users re-use a previously used password for example)

the real big error on our side was the lack of salt in the MD5 passwords, leading to the exposed passwords, but that will never happen again... worst case scenario now if someone could hack us, would be a list of names and email addresses, and maybe favorite language, but no way on earth even with quantum supercomputers to leak your passwords again.

note that as long as a hacker got access to the user email, without 2FA he can reset any password one way or another.

nilleftw
Posts: 2
Joined: Wed Jan 19, 2022 10:22 am

Re: We have been HACKED

Wed Jan 19, 2022 10:46 am

little confusion here, the new password is sent by email, but only activated if the user validates the change by clicking on the link in the email. so as long as the hacker didn't get access to the user email, he can't change the password.
If any password is sent over email, it must immediately be changed. It shouldn't even be an option to continue using that password. It must be a requirement to change that password when you log in the first time. If you insist in actually sending passwords in plaintext with unencrypted emails.

os_dev
Posts: 194
Joined: Wed Oct 17, 2018 3:42 pm

Re: We have been HACKED

Wed Jan 19, 2022 10:52 am


GO hire a fucking security guy and get your shit in order, It's 2022 and still you guys think this is OK ?
we don't think it's ok, we fixed the issue for the future.

with all the hack expenses we are working for free for quiet a few months now, still offering a free service to 98% of users, who mostly use ad-blockers. security guys make more money than us, please try to understand that.

os_dev
Posts: 194
Joined: Wed Oct 17, 2018 3:42 pm

Re: We have been HACKED

Wed Jan 19, 2022 11:00 am

little confusion here, the new password is sent by email, but only activated if the user validates the change by clicking on the link in the email. so as long as the hacker didn't get access to the user email, he can't change the password.
If any password is sent over email, it must immediately be changed. It shouldn't even be an option to continue using that password. It must be a requirement to change that password when you log in the first time. If you insist in actually sending passwords in plaintext with unencrypted emails.
we don't insist on doing like this... we realize the system is deprecated, we are building an entire redesign from scratch to solve all the issues.

now there's no way a hacker could get your decrypted passwords anymore from us, but if that hacker got access to a user's email address, that user gonna have a lot more problems than a hacker downloading subtitles on his behalf.

TieT
Posts: 4
Joined: Wed Jan 19, 2022 10:35 am

Re: We have been HACKED

Wed Jan 19, 2022 11:01 am


GO hire a fucking security guy and get your shit in order, It's 2022 and still you guys think this is OK ?
we don't think it's ok, we fixed the issue for the future.

with all the hack expenses we are working for free for quiet a few months now, still offering a free service to 98% of users, who mostly use ad-blockers. security guys make more money than us, please try to understand that.
Well... in the first place, there should be NO HACKING EXPENSES
1. The hack was from August last year, and users were not informed untill yesterday (BIG FUCK UP)
2. SA DB password was probably a breeze to hack
3. Everything stored in MD5 , again BIG fuck up !
4. paying ransom and not informing your users, again BIG fuck up !

Let me give you some pointers here

1. Use SAML or Oauth to do authentication, you don't need passwords.
Leave it to the bigger companies to do security (they have more resources and knowledge)

2. NEVER send a password in CLEAR text through EMAIL, NEVER !
Just Disabled the user untill they filled in a new password, basically just send them a reset pw link and that's it !

3. Inform your end users ASAP !
You're dealing with people's information and they have a right to know.

4. Use a password manager (It's free you know) to create STRONG SA passwords

All these things I mentioned cost NOTHING.

woopie2
Posts: 1
Joined: Wed Jan 19, 2022 10:58 am

Re: We have been HACKED

Wed Jan 19, 2022 11:10 am

Two recommendations, I see one has already ben mentioned.

Support for password managers
You recommend that people should use password managers, but that also requirements on the site. I went to to the change password page on my phone, pasted in my newly generated passwords and was told I had to fill in correct values.

The problem is that the JavaScript validation on the site of new password does not accept new passwords unless one makes a keypress. I ended up pasting the password, typing one character and then deleting that character.

Password resets must require password change
Already mentioned. Never trust a password sent over e-mail. Better to send a link and have the user set a new password directly.

Jurren
Posts: 1
Joined: Wed Jan 19, 2022 10:08 am

Re: We have been HACKED

Wed Jan 19, 2022 11:17 am

You're still doing it wrong.

When I reset my password for opensubtitles.org a password is emailed to me in plain text. So my password is or was known on your systems in plain text (because, you know, email), and is now stored on my email server and in my email client in plain text, and that's just plain wrong.

And the worst of it: I am not asked to change this password immediately, so you can expect that a lot of users will keep this password. This is really bad practice and shows me the site admins are not aware of basic security measures. You are setting up your site for a new attack, as a hacker I would be rubbing my knuckles and waiting for the next opportunity. As I understand you have been hacked by a dishonest black hat hacker, so if I was you, I would assume that he is still on your systems and design your security around that presumption. Assume to be hacked is a basic rule anyway if you apply a zero trust security model.

And why did I only get am email from Troy Hunt, and not from opensubtitles.org? I would expect that they sent a password reset email with an explanation to all accounts. Not everyone is signed up to Have I been powned, and as a site administrator you cannot rely on someone else to inform your users, you need to take this responsibility yourself.

And of lesser importance, but still a bad sign: The password reset email for opensubtitles.com is sent by an opensubtitles.org email adress, and the password reset email for forum.opensubtitles.org has a ***SPAM*** subject. This let me to have a look at your email security, and that's just the bare minimal. You should set your dmarc policy at least to quarantine, and after a hack you should set it to reject, this would make you less vulnerable to email spoofing attacks. With the current setup spoofed emails will still land in the users inbox. Not a good thing if you are sending out password reset emails in bulk in the coming days.

Please, get your act together, and fix those issues because I really like opensubtitles and I don't want to see it going down permanently!

Return to “General talk”

Who is online

Users browsing this forum: No registered users and 55 guests