Mangagamer database compromised

[sanahtlig]

If you're using unique passwords for every site, the passwords aren't actually that valuable.  When a breach is discovered, companies will patch it and reset your password, preventing further unauthorized access to the account.  What's more concerning are e-mail addresses that contain peoples' real names.  Many customers wouldn't be thrilled to have their real names publicly linked with pornography.

 

If you share passwords across sites, then you should be concerned, as you're at risk of identity theft.  Sites major and minor get hacked all the time.  If you have any Internet presence at all, your previous usernames and passwords are probably in some criminal database somewhere of combinations to try first when hacking an account.  The only protection is using unique passwords for every site.

[Nayleen]

Oh, I know all too well.

 

Like I said, it's more out of principle and that I don't want to support companies treating sensitive customer information with anything but the highest amount of precaution and security. Stuff gets hacked all the time, but properly hashed (with high cost factors) and salted passwords are still pretty much useless to hackers, so a step in the right direction.

[sanahtlig]

They need to safeguard the e-mail addresses.  However, I'm not sure what safeguards could be taken other than simply making sure the site isn't vulnerable to common routes of attack.  In other words, I'm not sure what can be done to demonstrate their commitment to customer privacy.  We've already established that encrypting e-mail addresses sounds reassuring but probably doesn't actually increase security.  Maybe they could hire a security firm to certify them as standards compliant?  I'm not sure if that would be cost-effective or feasible for them.

[Nayleen]

I agree wholeheartedly on your notion that it's not only the passwords, but also the users' identities that need protection.

 

In Germany the TÜV (Technischer Überwachungsverein) runs these kind of tests for online stores and e-commerce sites (one of which I work for) and issues certifications as well, unfortunately I don't know if there are any similar organizations carrying the same weight - not meeting TÜV standards will get you sued and your business shut down eventually on repeat offenses - for the US market.

 

That's certainly something that would help ensure the safety of their servers. A company that uses unsalted md5 hashes for passwords is pretty likely to be prone to other attack vectors, be it simple SQL injection, publicly reachable SQL servers, unsanitzied user input, outdated libraries and software, unpatched OpenSSL... the list goes on, and properly securing a web server and related software is tedious and ongoing business as vulnerabilities pop up from time to time.

[Down]

Relevant to your discussion (might Sanahtlig posting here actually). Seems like they took a lot of different steps (although it seems like their previous system was full of holes), although they don't precise what hashing they now use for the passwords.

[Zenophilious]

Hate to say this, but Manga Gamer getting hacked by that moron almost seems like a good thing, since he didn't want to do any serious damage.  At least now they're getting serious about security and patching the holes in their armor.  It could've been a lot worse.

[Totodile]

that's why i always check the site certificates. Although i'm pretty much paranoid myself so everything from my FB to my YT has differing personal information, the only thing that remains constant is my Age and list of disposable emails. That's where Google+ also comes in handy 

[sanahtlig]

They finally answered that Ask.fm question I posed a while ago.  Looks like they've been reasonably thorough in rooting out vulnerabilities.  Doddler said they're salting the hashes also.

[Nayleen]

that's why i always check the site certificates.

Unfortunately this kind of hack would've completely circumvented any amount of security the certificate is supposed to offer.

Hate to say this, but Manga Gamer getting hacked by that moron almost seems like a good thing, since he didn't want to do any serious damage.  At least now they're getting serious about security and patching the holes in their armor.  It could've been a lot worse.

Even though that one tweet and the apologetic forum post (if either of those were the hacker, that is) sounded more like it was a hack for the lulz, apart from dumping easily crackable passwords he probably ended up doing more like a white hat hack, exposing and drawing attention to the security issues on the Mangagamer's systems.

 

It's sad that it took a breach to expose these problems, which are all common gotchas when implementing a customer-facing site, and steps to fix them are as easily fixed as following some tutorials (PHP the right way comes to mind for the PHP programming language), but it's a good thing it happened if the site was this vulnerable.

 

Feel free to relay a "Good job, Mangagamer" to them from me.

[sanahtlig]

I can't praise a guy who tried to frame MG's customers as child porn collectors as a "white hat" hacker.  What he tried to do was more vicious than any criminal ring would've attempted.  All they want is your money (or your personal info to sell for money).  His goal was nothing less than destroying MG and humiliating most of the paying VN fanbase.  What he attempted (but failed to achieve in any meaningful manner) was essentially cyberterrorism.

[Nayleen]

You're obviously right, and I didn't mean to praise him in any way over what he said or did. His claims were obviously false and the breach of Mangagamer's servers a criminal offense, obviously.

 

I'm sorry and should've worded that differently, that I'm glad no serious damage was caused and Mangagamer took the necessary steps to prevent something similar - or worse - from happening again. I just wanted to point out that he didn't cause the damage he meant to, and the website's security has been tightened as a direct consequence of the attack, making it an overall win for Mangagamer, without intending to praise the hacker or approve of his actions.