Opensubtitles security vulnerability: millions of user data accessible

If you are looking for suitable subtitles for series and/or movies, you often can’t avoid the extensive database of “Opensubtitles”. Accordingly, the website enjoys a huge number of active users. However, the same users might now get a little bellyache. After all, those responsible have now personally announced that sensitive data of almost 7 million users was openly accessible and stolen. The reason for this was a massive data leak.

Massive data theft

Opensubtitles is the next website to fall victim to a cyber attack. It seems that the responsible persons of the popular website did not really make it difficult for the attackers. Due to a data leak, the criminals were able to steal the data of about 7 million users. The operators reacted quickly and paid a hefty ransom in the form of Bitcoins – a mistake, as it now turns out. In the end, the attackers put the stolen data online anyway. Quite openly, the website communicates this problem in the context of an entry in its in-house forum:

“In August 2021, we received a message on Telegram from a hacker who proved to us that he was able to gain access to Opensubtitles.org’s user table and downloaded an SQL dump of it.”

Publication despite ransom payment

The incident surrounding Opensubtitles is another example of how a ransom payment does not necessarily provide deliverance by any means. This is as true in kidnapping cases in the “real world” as it is in cybercrime online. However, options such as anonymous Bitcoin payments often make it even easier for perpetrators to run away with the ransom and not fulfill the promise. Opensubtitles also paid the extortionists a hefty sum of money in the form of Bitcoins. In return, the developers are said to have even received help from the attackers to fix the problems.

However, the apparent support from the attackers subsequently turned out to be flimsy. Instead, the hackers published the scammed data on the web without further ado. Listed meticulously in a database, interested parties were able to access the user data. If the ransom payment hadn’t “gone wrong”, we probably wouldn’t have noticed anything about the attack. After all, Opensubtitles did not inform its users until they knew about the release by the attackers.

Too weak password as gateway

But how were the attackers able to gain access to the website in the first place? Here, the criminals took a rather classic route. They apparently managed to find out the password of a “super admin”. This, of course, gave them the necessary admin rights. They executed a script and were able to download millions of user data.

Sensitive data affected

According to Opensubtitles, the criminal or criminals were able to access all user data of the logged-in users. From the 7 million people affected, the attackers could then retrieve data such as mail address, IP addresses and even passwords. This poses a particular threat to users if they use the same password on Opensubtitles as they do on any other service. Due to the caginess of the website operators, this risk is not too small. After all, the passwords had been openly accessible for almost half a year now. Open communication here would have been quite advisable and, above all, fair.

Opensubtitles vows improvement

Of course, website operators now look more than stupid. Becoming a victim of a cyberattack is one thing. Trying to cover them up, on the other hand, is the far more problematic one. Opensubtitles, however, sees the cyber attack as a mistake from which they can and want to learn. According to the company’s own statements, they have tried to improve after this “hard lesson”. A lot of money has been invested in security to be better prepared in the future.