Open Subtitles breach: The dangers of password reuse

Popular website Open Subtitles has been breached. The impact so far: almost seven million accounts “breached and ransomed” back in August.

There’s a long and detailed post on Open Subtitles’ forum with regard to what’s happened. Notable points of interest:

The site received a message from someone with proof of having gained access to the data.

“He gained access to all users’ data – email, username, password…He promised the data would be erased and he would help us secure the site after the payment.

The site was created in 2006 with little knowledge of security, so passwords were stored in md5() hashes without salt”

Money troubles

One point of contention relates to paying off the ransom. Some coverage is claiming they paid up, but then the data eventually leaked anyway. The language in the post reads a little ambiguously:

He asked for a BTC ransom to not disclose this to public and promise to delete the data.

We hardly agreed, because it was not a low amount of money.

However you stack it up, and whether they paid the ransom or not, the data is now out there.

Dangers to your data

This one falls under the familiar banner of “password reuse is bad”. Lots of people do it, and almost everyone has likely reused login details on more than one site without realising it.

The uptake rate on two-factor authentication or similar methods of protection on accounts generally isn’t very good. I dread to think how many of the breached seven million have secondary measures applied to their various logins.

Unsalted password hashes are easy to crack. You should assume your password has been compromised and that criminals will try to use it to gain entry to all your online accounts. If you have used your Open Subtitles password on any other services, change your passwords on all of them, straight away.

It’s very quick and easy to hijack several logins tied to one person. If an attacker manages to gain access to a primary email account used for password resets on lots of other accounts, then they really have hit the jackpot.

Those accounts can all be used for spamming, malware distribution, social engineering, phishing…the sky’s the limit.

If your data is in the breach, you absolutely must go and take stock of any accounts sharing login details as soon as you can. Get yourself a password manager, a temporary notepad file to jot down your possible duplicates, and kickstart the damage limitation process.

As for Open Subtitles, some folks still aren’t happy with the direction the fixer-upper has taken. Do your bit and address the lingering threat of password duplication. While it remains to be seen how the subtitle breach shakes out, there’s nothing wrong with ensuring the rest of your logins are in safe hands.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.