Tue Jan 18, 2022 2:34 pm
Hi all OpenSubtitles users,

What happened

We have some bad news... we have been hacked.

In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it.

He asked for a BTC ransom to not disclose this to public and promise to delete the data.

We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.

He gained access to all users data - email, username, password...He promised the data would be erased and he would help us secure the site after the payment.

The site was created in 2006 with little knowledge of security, so passwords were stored in md5() hashes without salt It means, if you used strong password (lets say at least 10 characters with lowercase, uppercase, number and special characters) you should be safe, but short easy passwords, specially if they are in the english dictionary can rather easily be extracted from these data.

Most users didn't use these strong passwords, it means, hacker can get access to user accounts. So he can download subtitles and so on, he didn't gain access to any credit card data or so - these are stored outside of our platform.

What you should do

- change opensubtitles.org and opensubtitles.com and forum password (we are requesting this)
- if you used opensubtitles.org password somewhere else, change it as well, specially important for emails and services where you have any payments and personal details

What we should have done

It is hard lesson for us. It is kind of amazing, that the site was hacked now, after 15 years - so that hacker must have spent quite a lot of time and energy on it. First of all, if a site is hacked, there should be minimal talk with hacker, if he promise something - it means in reality nothing as we learned in hard way. We should have spent more energy on securing the site and kick out the old md5() without salt passwords long time ago.

What we actually have already done

The site SHOULD be more secure now, we improved the way users are connecting to the site, the accounts will be locked after some successful logins, we introduced new password policy, we removed session info from table, IP should not be spoofable anymore, Captchas on login, register, password-reset, CSRF on forms, requests will be cancelled if admins change their IP during session, user passwords are saved in safe form using hash_hmac and sha256 algo with salt and pepper, all md5() passwords are deleted. For IT geeks - yes, we are using password_hash(), with peppered sha256 password, BCRYPT and for verification password_verify()

Note that our new site, opensubtitles.com was built with stronger security concerns, and already included all the points described above.

Last words

Accept our humble apologies, as you can see a hack can occur at any moment, and there is nothing much that you can do, even paying a ransom doesn't guarantee your safety. Please don't use the same passwords across different projects - that's the biggest possible mistake you can do.

If you didn't change your password yet, please do it now - use different password than before:

Reset password on www.opensubtitles.org
(please make sure you insert your valid opensubtitles.org email, you receive email, where is confirmation link - you need to click on it. Then you can use new temporary password which is in the same email)

Reset password on www.opensubtitles.com

Reset password on forum.opensubtitles.org

If you are not using some password manager, it can be a good time to consider it, they'll help you switch to using long and complex passwords, notify you of security issues, manage 2FA, and access your passwords from all your devices with the only need to remember one master password (or have it linked with your fingerprints or other) List of best password managers

We are in contact with Troy Hunt, if you are not using HaveIbeenPwned service, it is about time.

We will become members of HackTrophy to avoid similar attacks in future, it is better to deal with white-hat hackers.

This post will be updated over time to add some important information.

19th Jan 2022 UPDATE
- when updating your password, please wait for email and don't send another email, otherwise it can create problems - we are using ONE confirmation string per User, so when you create second request for password change and you will receive email from first password change, you will get error. So request password just one time, wait and please check also your email spam

- when you try to reset your password and system write you "email not found" - then please make new registration. We changed encoding of data table and there was some shadow duplicates and some user accounts are just gone (few of them)

- OpenSubtitles UPLOADER stopped working - I contacted developer, he need to release and update, there is nothing else I can do

- if you really can not reset your password (it can be, that your email is blocking our email and need some human confirmation), then you can contact us

- the breach occurred in august last year, but the data were only leaked last friday

- of course this is not an excuse, but there's more and more hackers, getting more and more creative and greedy, just as active against big businesses as small ones. If companies like microsoft, facebook, twitter, nintendo or zoom can get hacked, what are our chances as a tiny team to not end up getting attacked ?

20th Jan 2022 UPDATE
- some of API programs used MD5() passwords to communicate with API, read here more viewtopic.php?f=11&p=46892#p46892
- replying to hundreds of emails
- working on better password reset system as pointed in comments
- OpenSubtitles.org is END OF LIFE project - we are moving completely to www.opensubtitles.com ASAP (which can take 1 year

21th Jan 2022 UPDATE
As some user pointed in this thread, sending plaintext password is not so good idea, so we completely changed password reset system, there is no more password in plaintext in emails, only password reset links.

SURSA