Cyber Incident Victim: OpenSubtitles

In August 2021, OpenSubtitles received a message via Telegram from a hacker who demonstrated unauthorized access to the site’s user database and provided evidence of a downloaded SQL dump. The attacker demanded a Bitcoin ransom in exchange for withholding public disclosure of the breach and promising to delete the stolen data. OpenSubtitles reluctantly agreed to pay the demanded amount, which it described as substantial. The hacker revealed the intrusion method, attributing it to a SuperAdmin account secured with a weak password. This compromised account allowed access to an unsecured administrative script vulnerable to SQL injection attacks, which the attacker exploited to extract the user data. Following the payment, the hacker assisted OpenSubtitles in identifying and remediating the security flaw. The company did not disclose the incident publicly at the time, maintaining operational continuity while addressing the technical vulnerabilities.

The breach remained undisclosed until August 2022, when the stolen data appeared online and was subsequently indexed by the HaveIBeenPwned breach notification service. OpenSubtitles confirmed the exposure of 6,783,158 user records containing email addresses, usernames, and unsalted MD5 password hashes. The site acknowledged its legacy security practices, noting that the platform’s 2006 origins led to inadequate password storage methods vulnerable to cracking. No payment card information was compromised, as financial data resided on external systems. OpenSubtitles implemented code updates to enhance security and urged users to reset passwords to prevent account hijacking. The incident underscored risks associated with administrative access controls and outdated cryptographic practices, impacting one of the internet’s top 5,000 most visited sites.