MangaToon is a very popular app used by fans of the Japanese comic book style manga around the world, giving them access to many different graph novels under this genre. Recently, MangaToon was hit by a massive data breach, exposing 23 million user accounts. The attacker was able to gain access to this information via an unsecured database hosted by Elasticsearch.
The breach was carried out by the hacker known as pompompurin and it is believed that this actor was able to gain access to the database due to the server utilizing weak credentials. The hacker, pompompurin, reportedly stated that the credentials were there but they were easily guessable – “password” as the password type of easy. Pompompurin apparently reached out to the company to make them aware of the hack, but the company never notified their customers and never responded to the notification.
Have I Been Pwned, a data breach notification website, added the 23 million breached MangaToon accounts to their site recently, and sent out the following tweet, “Mangatoon had 23M accounts breached in May. The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and salted MD5 password hashes.” A MangaToon reader can find out if they were impacted in this breach by searching their email address on the Have I Been Pwned site.
This breach in particular showcases why it is so important to use strong, complex, unique passwords. The breach was caused by the company using the worst password imaginable (“password”) – this is the most basic, common, easy-to-guess password out there. This “password” was meant to protect millions of users’ account data and it was approached like an afterthought. Had the company utilized strong, unique passwords and taken the time to add in further security measures as well, such as multi-factor authentication, this breach may likely not have happened.
This also highlights why we, as users of various websites, need to be sure that we use strong and unique passwords ourselves. Though we hope that the companies we trust our data with would protect them to the best of their abilities, it is always best to take your security in your own hands. Use a different password for every single account that you have and make each password different than the next. Be sure that each of these passwords are not only different than each other but complex in nature. “Password” is an unacceptable password. Many people find the task of having different, complex passwords overwhelming, as they can be difficult to remember – however, there are many free password databases which you can use to house your passwords. If you use one of these, all you need to do is remember one complex password – but be forewarned, with ALL of your passwords sitting in one place, it is important that this password is particularly hard to guess. It can be a challenge for some folks, but adhering to strong password hygiene principles is a fundamental building block for cybersecurity – for companies and individuals alike.