woman reading manga

Insecure password leads to Mangatoon data exposure

The hugely popular Manga comics platform Mangatoon has fallen victim to a data breach. No fewer than 23 million user accounts could be at risk, thanks to a poorly secured database. Worse still, the breached entity doesn’t seem to be responding to messages from both attacker and people notifying them that the breach has taken place.

A limited edition run of exposed accounts

Mangatoon allows comics fans to read a variety of web comics for free via the app, with the option to “unlock” whole comics for a fee. Unfortunately for them, their Elasticsearch database was compromised leading to several attempts to get their attention.

No response was forthcoming by email or even social media. Even Bleeping Computer, reporting on this story, have had no success where trying to contact the site owners is concerned. While it’s possible everyone involved is too busy fixing the problem, the complete lack of a reply is concerning.

Checking for exposure

The breach, which occurred in May, has been loaded into popular breach checking service Have I been pwned. What this means is that you can search for your email address on the site. If your mail is tied to any data breaches, the site will let you know which sites, what data (without revealing specifics), and when, if at all possible. It’s important to note that the site will pull up results for any data breach, not just this one assuming your data is included.

Password disasters of our time

The 23 million or so accounts have been exposed purely because of bad password management. All of this data was, incredibly, sitting behind the “password”.

Mangatoon changed the password after the system breacher notified them. However, no customers have been notified and anyone unaware would think everything is currently business as usual. The truth is that things couldn’t be further from the case. Are there other, similarly poorly secured databases? Has the password been changed to something that isn’t “password123”? Elasticsearch makes use of a variety of security features for all manner of configurations. Will Mangatoon be making use of these in future?

So many unanswered questions in a situation such as this isn’t massively reassuring.

Lock down your databases

Poorly secured Elasticsearch databases are juicy targets for those up to no good. At least 450 ransom notes were discovered demanding payment in return for files back in June of this year. Sadly for anyone paying up to recover the stolen files, there’s a good chance the attackers had already deleted them. This is, of course, a valuable reminder to back up your data.

This is especially true considering Elastic sits alongside both Redis and MongoDB as some of 2022’s top exposed databases. If you’re just looking to read some comics, it’s unfortunate that these behind the scenes antics could impact you greatly. Now is the perfect time to check security settings on exposed emails, and revoke tokens / change passwords if needed.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.