Hacker Leaks Personal Data of Nearly Seven Million OpenSubtitles Users

OpenSubtitles.org hack and data leak

No news is not necessarily good news — at least, not when it comes to cybersecurity. OpenSubtitles.org members learned that the hard way on January 18, 2022, when the website announced that a hacker gained access to the personal data of almost seven million users in August 2021, including email and IP addresses, usernames, and passwords.

OpenSubtitles bills itself as the “biggest multi-language subtitle database” online, with about 40,000 users during “peak” weekend hours, and a website available in more than 30 languages.

While users can upload or download subtitles without registering for the site, free registration gives members access to more advanced search functions and the ability to post comments on forums. For an annual rate of EUR 10, VIP members see an advertisement-free site and enjoy higher download limits.

According to Site Admin OSS, the hacker breached a SuperAdmin’s account by hacking an unsecure password, thus gaining access to an unsecured script available only to OpenSubtitles SuperAdmins. (Luckily for paying users, credit card information was stored outside the OpenSubtitles platform.)

“The site was created in 2006 with little knowledge of security,” OSS explained in a post to the OpenSubtitles forum. “If you used [a] strong password (let’s say at least 10 characters with lowercase, uppercase, number and special characters) you should be safe, but short easy passwords, especially if they are in the English dictionary, can rather easily be extracted from these data.”

SlatorCon Remote June 2023 | Early Bird Now $120

SlatorCon Remote June 2023 | Early Bird Now $120

A rich online conference which brings together our research and network of industry leaders.

Register Now

In a Telegram message, the hacker demanded a ransom in return for erasing their copy of users’ personal information and for securing the OpenSubtitles website. Coverage of the hack has alternately reported that OpenSubtitles did and did not pay the ransom.

“We hardly agreed, because it was not [a] low amount of money,” OSS wrote, noting later in the forum post that “even paying a ransom doesn’t guarantee your safety.”

Ultimately, the hacker leaked the data on January 14, 2022, prompting the organization to inform members of the breach via the OpenSubtitles forum a few days later.

While cybersecurity experts debated the details of the hack and OpenSubtitles’ steps to improve security moving forward, users discussed how the hack was handled.

“Well, it happens…maybe next time don’t let five months pass by before telling us we should change our passwords,” one user commented in response to OSS’ post. “You could have easily reset everyone’s passwords and sent a notification, after fixing the database’s security issue.”

“Would have been nice to get an email from OpenSubtitles about them being hacked BEFORE I got other accounts stolen because of it,” one user tweeted. “I know I shouldn’t use the same password in multiple places, but f – – -ing hell.”

One observer commented on Reddit, “Another organization not respecting GDPR. They have 72 hours to declare a data breach when they know it, at least for EU customers.”

In a series of updates to the original forum post, OSS told users that the entire OpenSubtitles project is moving to a new domain, OpenSubtitles.com — a transition that could take up to a year.

In the meantime, users have been urged to reset their passwords, come up with unique passwords for different websites, and start using a password manager.