Cyber Incident Victim: MangaDex
Date:
Mar 2021
Location:
Japan
Summary
A major manga platform experienced a cyberattack where a threat actor exploited a session token vulnerability from an old database leak to compromise an admin account, subsequently stealing and publishing the site's source code on GitHub under the alias 'holo-gfx.' The attacker claimed additional undisclosed vulnerabilities and possession of a dumped database, though it remained unpublished. In response, the platform preemptively shut down services to accelerate a security-focused rewrite of its infrastructure, warning users to assume all account data was breached and advising password changes for reused credentials across other sites.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 17, 2021, MangaDex, a prominent manga scanlation platform ranked among the top 200 most visited websites globally with approximately 76 million monthly users, experienced a cyberattack. An unauthorized actor exploited a vulnerability in the site’s session management, reusing a session token from an old database leak to gain access to an administrator account. This initial breach allowed the threat actor to infiltrate the site’s infrastructure over a three-day period. MangaDex’s team identified the compromise on March 17 and responded by patching the vulnerable code segment and globally resetting session data to prevent further exploitation through the same method. Despite these efforts, the attacker escalated their access, obtaining and exfiltrating the website’s full source code, which they subsequently published on GitHub under the pseudonym "holo-gfx." During MangaDex’s subsequent code audit and vulnerability remediation, the attacker taunted developers by commenting on fixes, disclosing one patched flaw as a "file type confusion" bug while withholding details on a second vulnerability.
Following confirmation that the threat actor retained persistent access to their systems, MangaDex announced a temporary shutdown on March 22 to expedite development of a more secure "v5" site version, prioritizing this over maintaining a potentially compromised infrastructure. The organization acknowledged uncertainties in the timeline due to the volunteer nature of its development team but projected a downtime of one to three weeks if progress proceeded smoothly. The attacker, however, claimed possession of additional unaddressed remote code execution (RCE) vulnerabilities and web shells, asserting that the v5 rewrite would neutralize these threats. They also alleged to have dumped MangaDex’s database but stated it remained unpublished. MangaDex advised all users to treat their account data as compromised, urging password changes on any platforms sharing credentials with MangaDex accounts and warning of potential phishing campaigns should the database surface publicly. The incident underscored systemic risks stemming from legacy session management flaws and third-party infrastructure exposure.