pompompurin copied the personal details of 15 millions of users of the comic reading platform MangaToon. Their password was password.
As the blog of the Czech-based IT security company CyberSecurity Help reports, the hacker pompompurin was able to download the MangaToon database a few weeks ago. MangaToon is mainly used as an app for Android and iOS to access corresponding works. In order to be able to read the comics, manga and other reading material, fans have to purchase so-called coins. This requires registration, which naturally leaves countless data.
MangaToon: the password was password
According to cybercriminal pompompurin, in May he was able to copy MangaToon’s Elasticsearch server database, which was only protected with an extremely weak password. He then contacted the operating company to warn them. The password of the corresponding server was then changed. A warning to the users has not yet been issued.
Last week the notification service Have I Been Pwned (HIBP) 15 Added millions of MangaToon accounts to its platform with names, email addresses, genders, social media account identities, social login authentication tokens, and salted MD5 password hashes. Notably, 09% of this data was already in the HIBP database.
Before using the leaked information, HIBP owner Try Hunt first tried to contact MangaToon but was unsuccessful. He tried email and Twitter, no response. The colleagues from the news portal Bleeping Computer also tried to reach MangaToon for a statement, in vain.
No answer is also a
Hacker pompompurin will publish or try to sell the illegally copied database sometime in the future. He caught the attention of cybersecurity experts and law enforcement agencies in November 2021 when he successfully hacked into the FBI’s email server.
The hacker was a regular supporter of the RaidForum for a long time. After law enforcement agencies confiscated the forum’s servers in April, pompompurin is said to have been involved in founding its successor, breached.to. According to our research, the MangaToon data set has not yet appeared there. The seller is probably in no hurry to offer the data.
As pompompurin tells Bleeping Computer, the Elasticsearch server’s password was just “password”. This was a protection against unauthorized access, which is not one.
This may explain why no one from the company is willing to comment publicly on this case. At least MangaToon should have warned its own users.