Mangatoon, a free-to-use comic book app from where users can read manga on their smartphones and other devices, has fallen victim to a significant data breach. The Shanghai-based app was founded in 2014 and has received over $10 million in investment funding.
According to a tweet from Have I Been Pwned, data from 23 million user accounts were leaked online, including “email addresses, genders, social media account identities, auth tokens from social logins and salted MD5 password hashes.”
Hacker claims responsibility for hack
A hacker known as “pompompurin” has claimed responsibility for the leak. The same hacker previously claimed responsibility for hacking FBI emails in 2021, when they sent thousands of emails warning recipients of a fake cyberattack and for a large-scale data theft from Robinhood in the same year.
BleepingComputer, one of the first sources to break this story, said it had spoken to the hacker, who said they would likely leak or sell the data in the future.
The hacker also told the site that they stole the database from an Elasticsearch server using weak credentials, making a hack almost inevitable. According to BleepingComputer, pompompurin said: “It was ES, they had credentials on it but it was just “password”, they changed the credentials after I emailed telling them but they never notified their customers and never replied.”
If this is the case, it serves as a reminder that it’s vital to ensure cybersecurity measures like firewalls are backed up by strong, hard-to-crack passwords.
What action should Mangatoon users take?
If you’re a Mangatoon user, your first port of call should be Have I Been Pwned. You can enter your email address there to see if it has been involved in a data breach.
If Mangatoon hasn’t notified you that your data has been involved in a breach, you should still take preventative action to keep your account safe. Reset your password to something strong that you don’t already use on another site, and, ideally, use a password manager app to create and store your password.