Forum rules
Under no circumstances is spamming or advertising of any kind allowed. Do not post any abusive, obscene, vulgar, slanderous, hateful, threatening, sexually-orientated or any other material that may violate others security. Profanity or any kind of insolent behavior to other members (regardless of rank) will not be tolerated. Remember, what you don’t find offensive can be offensive to other members. Please treat each other with the kind of reverence you’d expect from other members.
Failure to comply with any of the above will result in users being banned without notice. If any further details are needed, contact: “The team” using the link at the bottom of the forum page. Thank you.
bogd
Posts: 4
Joined: Wed Jan 19, 2022 8:45 am

Re: We have been HACKED

Wed Jan 19, 2022 11:46 am

OK, I should have read the email more carefully :) - the confirmation link is there, and the new password only takes effect after clicking the confirmation link. In my defense, the email message could have been worded a bit better, and maybe point to a "set your password" link, to avoid sending the new password by email. Nevertheless, this does make my second point invalid.

However, the first point still stands. :)

It appears that you still have some work to do on the security side...

The opensubtitles.org password reset link is... problematic. For the following reasons:
1. The message is different, depending on whether the email address entered corresponds to a valid account or not (allowing a potential attacker to figure out if a specific email corresponds to an account)
2. There is no validation of the request. Once somebody enters a valid email, that account's password is reset and emailed to the associated address. (allowing a potential attacker to reset anyone else's password)

bogd
Posts: 4
Joined: Wed Jan 19, 2022 8:45 am

Re: We have been HACKED

Wed Jan 19, 2022 11:53 am

Oh, and one more thing - you REALLY need to work on your disclosure policy. What you are LITERALLY saying here is "we paid the money, and hoped noone will ever find out". Yet, surprisingly enough, hackers do not play by your rules... :)

The fact that the data became public last Friday does NOT mean that it was not sold and circulated in closed circles before that. In fact, it is very likely that once the hacker got your ransom, they just turned around and sold the data to get even more money.

I can live with the fact that you were hacked - you are a small team, and mistakes happen. However, the fact that you decided not to go public shows that you were more concerned about your image than the safety of your users. A simple "potential compromise" message + forced password resets would have gone a long way toward protecting the users - but you chose to stay quiet for 5 months, until the %$@^ hit the fan and you were forced to do something...

nascentt
Posts: 1
Joined: Wed Jan 19, 2022 12:33 pm

Re: We have been HACKED

Wed Jan 19, 2022 12:42 pm

  • Why am I finding out that my account was hacked half a year after the fact?
  • Why did I have to find out from a 3rd party service?
  • Why have you still not emailed users to tell them they were hacked?
  • Why have you not reset all user passwords?
  • Why did you not do this back in August last year?!

UsenetAlias
Posts: 11
Joined: Fri Sep 24, 2021 12:10 pm

Re: We have been HACKED

Wed Jan 19, 2022 12:44 pm

@UsenetAlias - please reset your password, click one time on forgotten password, write email there and wait until email arrives. If you will do it twice, the first email will not work and you can encounter this error. If you can not reset your password for some reason, write us PM
But ofcourse... it's not like it's rocket science or something, but it just doesn't work. When I ask a new reset, I use the latest mail/link. It keeps saying there is an error. It's not the first time there are issues with password resets. The activationlink doesn't work for me.

Bye.

Edit: solved!
Last edited by UsenetAlias on Thu Jan 20, 2022 4:43 pm, edited 2 times in total.

yngndrw
Posts: 1
Joined: Wed Jan 19, 2022 12:54 pm

Re: We have been HACKED

Wed Jan 19, 2022 1:05 pm

Well, it happens... maybe next time don't let 5 months pass by before telling us we should change our passwords, you could have easily reset everyone's passwords and sent a notification, after fixing the database's security issue :)
so there's a little confusion here.

nothing was leaked in august, we followed the hackers request, secured our services, hired an extra sysadmin, ran extra audits.

then on january 11th we received the same request, from the same data breach, but from what seemed to be a collaborator of the original hacker, we contacted the first hacker who promised he'll solve the issue for us, but he didn't.

the data seems to have been leaked on the 14th january, we heard of it on the 15th, rushed to lock all accounts and setup the force change password strategy, posted here on the 18th.

yeah we messed up, we got scammed and screwed, lost months of revenue to try and avoid the leak for nothing, but it's not like we did nothing in 5 months...
You're right there is a little confusion here, allow me to explain.

In August 2021, there was a breach. This is the point at which data was leaked - The data left your custody and that is a leak, it's as simple as that. This is the point where you should have notified everyone.

On the 14th of January nothing changed, the data had already leaked about 5 months earlier.


I hope you've now reported the breach to the relevant authorities. (For GDPR) You've already passed the 72 hour reporting period, but better late than never.


PS: I know you've mentioned in other posts that you're a team who don't get paid for the majority of your time and work, but that doesn't change anything in regards to your responsibilities. If you can't securely handle credentials, then simply don't - Use another external identity provider. Don't require sign-in if it isn't strictly necessary. Don't accept personal information if it isn't strictly necessary.

rustroest
Posts: 12
Joined: Sun Apr 26, 2015 11:31 pm

Re: We have been HACKED

Wed Jan 19, 2022 1:05 pm

I have been able to change my password for the forum succesfully, but for the site Opensubtitles.org that's impossible.
When I follow the steps and enter my emailaddress it keeps saying that an email was sent to change the password, but I don't receive the email. It's not in my spambox either. So, what can I (and mostly you) do about that?

bpenris
Posts: 1
Joined: Wed Jan 19, 2022 1:37 pm

Re: We have been HACKED

Wed Jan 19, 2022 1:41 pm

If you're taking security more serious, why are you still sending out new passwords through unencrypted, regular email when doing a password reset?

Besides that your own MTA seems to add ***SPAM*** to the subject line of the Welcome to the forum email.

This does not look like a properly run operation at all....

Jinx234
Posts: 2
Joined: Wed Jan 19, 2022 2:45 pm

Shame on you!

Wed Jan 19, 2022 2:49 pm

Apology not accepted. You should have informed us right away but instead you informed us when the hack was exposed.

I have nothing good to say about this. Luckily I'm smart enough to have different pws for everthing I use because I know we can't rely on parties you like yourself to keep our info safe or take responsibility when that info has been stolen.

Jinx234
Posts: 2
Joined: Wed Jan 19, 2022 2:45 pm

Re: We have been HACKED

Wed Jan 19, 2022 2:52 pm

Shame on you, I don't fault you too much for being hacked, it happens constantly, even though apparently you had a lot of holes but I don't have any technical knowledge about that.

But I do fault you for hiding it from us and not giving us the opportunity to take action, there is no excuse for that.

TieT
Posts: 4
Joined: Wed Jan 19, 2022 10:35 am

Re: We have been HACKED

Wed Jan 19, 2022 3:11 pm

Well, it happens... maybe next time don't let 5 months pass by before telling us we should change our passwords, you could have easily reset everyone's passwords and sent a notification, after fixing the database's security issue :)
so there's a little confusion here.

nothing was leaked in august, we followed the hackers request, secured our services, hired an extra sysadmin, ran extra audits.

then on january 11th we received the same request, from the same data breach, but from what seemed to be a collaborator of the original hacker, we contacted the first hacker who promised he'll solve the issue for us, but he didn't.

the data seems to have been leaked on the 14th january, we heard of it on the 15th, rushed to lock all accounts and setup the force change password strategy, posted here on the 18th.

yeah we messed up, we got scammed and screwed, lost months of revenue to try and avoid the leak for nothing, but it's not like we did nothing in 5 months...
You're right there is a little confusion here, allow me to explain.

In August 2021, there was a breach. This is the point at which data was leaked - The data left your custody and that is a leak, it's as simple as that. This is the point where you should have notified everyone.

On the 14th of January nothing changed, the data had already leaked about 5 months earlier.


I hope you've now reported the breach to the relevant authorities. (For GDPR) You've already passed the 72 hour reporting period, but better late than never.


PS: I know you've mentioned in other posts that you're a team who don't get paid for the majority of your time and work, but that doesn't change anything in regards to your responsibilities. If you can't securely handle credentials, then simply don't - Use another external identity provider. Don't require sign-in if it isn't strictly necessary. Don't accept personal information if it isn't strictly necessary.
Yes, this comment is on point !

quote:
yeah we messed up, we got scammed and screwed, lost months of revenue to try and avoid the leak for nothing, but it's not like we did nothing in 5 months...

I'm sorry but you did nothing, nothing that actually mattered or resolved the situtation.

Reading all the comments I think there are a lot of people who are working in IT sec or have enough experience to advise or even help you.
Huge mistakes have been made and I hope you listen to the community.

Saying it will never happen again just doesn't cut it.
You lost all credibility when you paid the ransom and tried to cover the breach, you can say whatever you want, but that is exactly what you tried to do.
The breach was in August it's as simpel as that.

User avatar
pooond
Posts: 46
Joined: Thu Dec 12, 2019 1:08 pm

Re: We have been HACKED

Wed Jan 19, 2022 4:21 pm

Yes, upsetting to hear, but it is what it is. It's only a subtitle site and you shouldn't be using this password for your banking or anything important anyway. If you were, that's your own tough-titty!
The fact is bigger companies including Microsoft have been hacked, and so was iOS Apple, to some extent, and these are big paid companies, not one offering freebies.
Other subtitle sites have also been hacked in the last several months, including another big one which is Subscene and Addic7ed. I don't recall to date Subscene or any other subtitle site making their users aware of this after the fact.
So those of you swearing and expecting a free service like a subtitle site to offer you encrypted protection with the security offered by very strong encryption such as, 4096 bit DH and RSA keys size, AES-256-GCM or CHACHA20-POLY1305 encryption cipher, get fucking real. You want better security, then open up your coffers and pay for it. When a site like this is paid for by all it's users and has the funds to get better security, then, by all means, moan away!
Sorry to say, until that time, STFU!
Jeez!

EDIT:

I have a paid version for password manager and Dark Web Monitoring active part of my security software, that supposedly always detects the Dark Web for any of my leaked personal information, nothing has been flagged up on there that any of my personal details from this website (password/email) have been leaked. So that's a relief.


I'd also like to add, for a free voluntary service by the admins, the forum posts historically are answered on this forum within 24 hours, which is next to none compared to other subtitling websites where admins couldn't care less.
So thank you for continuos hard work, guys.
Peace-out.
Last edited by pooond on Wed Jan 19, 2022 5:28 pm, edited 3 times in total.

bogd
Posts: 4
Joined: Wed Jan 19, 2022 8:45 am

Re: We have been HACKED

Wed Jan 19, 2022 5:03 pm

so there's a little confusion here.

nothing was leaked in august
Just one question:

How
Do
You
Know
That????


Allow me to explain. Yes, there seems to be a little confusion - but it is one that you are making. You lost the data in August. That is when the breach occurred, that is when the data left your hands. And that is precisely when you should have implemented mitigation strategies in order to protect your users.

You have absolutely no way of knowing that the data was not shared privately between various entities even after paying the ransom. You have no way of making sure that the data (which you already knew included unsalted MD5 hashes!) was not already being actively used in attacks against your users.

That is why the responsible thing to do would have been to alert your users, and force password changes. While also mentioning the unsalted hashes, so that users that reuse passwords know that they should change those passwords everywhere. And once again, that should have been done in August, when the breach occurred.

You chose not to do that. You hoped that you would be able to hide the breach, and in doing so you put your users at risk. That was irresponsible of you. That is what people are complaining about. And that is why you see so many angry comments in this thread.

TieT
Posts: 4
Joined: Wed Jan 19, 2022 10:35 am

Re: We have been HACKED

Wed Jan 19, 2022 5:53 pm

Yes, upsetting to hear, but it is what it is. It's only a subtitle site and you shouldn't be using this password for your banking or anything important anyway. If you were, that's your own tough-titty!
The fact is bigger companies including Microsoft have been hacked, and so was iOS Apple, to some extent, and these are big paid companies, not one offering freebies.
Other subtitle sites have also been hacked in the last several months, including another big one which is Subscene and Addic7ed. I don't recall to date Subscene or any other subtitle site making their users aware of this after the fact.
So those of you swearing and expecting a free service like a subtitle site to offer you encrypted protection with the security offered by very strong encryption such as, 4096 bit DH and RSA keys size, AES-256-GCM or CHACHA20-POLY1305 encryption cipher, get fucking real. You want better security, then open up your coffers and pay for it. When a site like this is paid for by all it's users and has the funds to get better security, then, by all means, moan away!
Sorry to say, until that time, STFU!
Jeez!

EDIT:

I have a paid version for password manager and Dark Web Monitoring active part of my security software, that supposedly always detects the Dark Web for any of my leaked personal information, nothing has been flagged up on there that any of my personal details from this website (password/email) have been leaked. So that's a relief.


I'd also like to add, for a free voluntary service by the admins, the forum posts historically are answered on this forum within 24 hours, which is next to none compared to other subtitling websites where admins couldn't care less.
So thank you for continuos hard work, guys.
Peace-out.
Completely besides the point, but hey if that makes you feel better.

jfcouture
Posts: 1
Joined: Wed Jan 19, 2022 6:02 pm

Re: We have been HACKED

Wed Jan 19, 2022 6:10 pm

Now i understand why have been receiving tons of daily spam since august at my email address with somewhere in the spam my username.
I had no idea that it came from that breach. Whoever did the breach has been active with the stolen data despite your actions.

I think you should have alerted your users back in August, not just now…

User avatar
vankasteelj
Posts: 175
Joined: Sun Nov 15, 2015 1:09 am

Re: We have been HACKED

Wed Jan 19, 2022 7:15 pm

Everybody's mad for a reason: we should have known this 5 months ago, and all the accounts should've been forced to reset their password at that time. Big mistakes were made, unforgivable mistakes, but what is done is done.

Now all I can hope is you take every bit of the necessary actions on your side. Email every user, force-reset all passwords.

Opensubtitles is a good service, it runs perfectly fine most of the time and has become a truly reliable source for material. I don't forget that either.

Return to “General talk”

Who is online

Users browsing this forum: No registered users and 32 guests