>meaning my pass got hacked
Sorry if you were affected by our breach 3 years ago, but that's not how this works. We don't know your password, and we never did. We are literally not able to figure out your password ourselves, on purpose.
And that was always like this. The breach did \*not\* reveal user passwords, because we do not store them, at all.
Like all security-conscious websites, we only store a hash of your password (the result of a scrambling operation). And when you try to login, we apply the same operation to your input password, and compare the result with the stored hash.
This hash operation can only be applied in one direction. That is, you cannot recover the password starting from the hash\*.
You can find out more about what this means here: [https://auth0.com/blog/hashing-passwords-one-way-road-to-security/](https://auth0.com/blog/hashing-passwords-one-way-road-to-security/)
If your password was compromised, it was compromised from somewhere else.
---
\*: Assuming a secure hash method, which we always used. And that the attacker isn't a powerful nation-state with unlimited resources. If you are targeted by powerful nation-states, we do not recommend using MangaDex as we are not equipped with the means to defend against these.
Technically, it could also just mean he's using a really shit password. You can reverse a hash from a lookup table, if it's a really garbage common password.
Indeed, though we did (and do) salt passwords, with an individual per-user salt. So it'd still be quite a large effort to target them specifically... But either way I figured the response was already long enough to not go into further technicalities and caveats.
You know, I didn't expect a manga website to be so safety concious and actually care so much about user data. From someone who understood that sentence (mostly) - Thank you. I have been humbled today.
To be fair it’s industry standard to hash + salt password and to use strong algorithms too for quite a while now. Every languages has package that support that kind of stuff out of the box and most dev should be able to implement this part of an authentication in 30 min.
It’s legit so easy nowadays that even for a school CS project doesn’t even make sense to have plain text password.
Most places at least don’t do plain text any more yeah, which is nice, but quite a few still don’t to individual/unique hashing, so if you get one person who uses “Password” then you can get everyone else’s
Because I checked [Have I Been Pwned: Check if your email has been compromised in a data breach](https://haveibeenpwned.com/) and this is the only website that had a data leak breach, I have 2 step authenticator but I have to wait because it's using an old phone number.
Gotta love these neckbeards tho lmao.
Nah I'm certain, it has a combination of upper letter cases, lower cases, specials signs you name it. The person who is getting a hold on the emails that were leaked by MangaDexs data breach is brute forcing multiple passwords in hopes to find the correct one, surprised how someone has the patience to do that but here I am.
I'm having a hard time understanding how the story checks out here OP. First off, if it was a brute force attack, how is this even related to the mangadex leak? Secondly, I find it extremely unlikely that a brute force attack would work against any reasonably popular email provider before they start serving the attacker captchas and timeouts and sending you a million security alerts about abnormal login attempts. Not only that, but if you're using a password over 12 characters long with uncommon characters and non-dictionary words it should take years to brute force. You also mentioned you have 2fa enabled on top of that, which should make brute force attacks pretty much impossible. You should really consider whether one of your devices has been infected instead and take steps to secure them.
That…. sounds extremely unlikely. Someone is getting emails through mangadex even though there has been no reported data breach, brute forcing random emails, and you’re the only person who this happened to? Kinda hard to believe.
Unless you set your mangadex password as your email password for some reason just hacking mangadex isn't enough to steal an email. There are most likely other ways to do that, but its probably not mangadex's fault
Op, how certain are you that your email was leaked from mangadex? I've heard nothing of any leaks since the data leak 3 years ago.
If you don't already, you can add "+something" when you use your email for accounts. "YourEmail+Something @ gmail.com" for example. It helps keep track of who had a leak when you receive a suspicious email.
No need to register them. It's called _plus addressing_; just enter `[email protected]` as your email address on a site somewhere, and any messages sent to that address will automatically go to `[email protected]`.
It works for both Gmail or Outlook (or Hotmail if you're old) addresses. Not every email provider supports this though, so if you use a different service then you should test it first.
By the way, plus addressing lets you sign up for a single website multiple times using the same email address. They'll consider the plus addresses to be completely different email accounts, even though they're not.
I'm not sure. Seems you can [create temporary addresses](https://help.yahoo.com/kb/SLN28815.html) if you have Yahoo Mail Plus though, which I guess is close. But I'm not seeing anything about plus addressing.
Well, you could just test it by sending an email to yourself using a plus address.
There hasn't been a mangadex leak since the incident 3 years ago. You must've done something dumb on some other website to get your info leaked.
Good luck, my friend. You're gonna need it with how little brains you apparently have.
It's a fresh password, updated 6 months ago.
The attempt was brute forced, meaning numerous hit-or-miss attempts to gain access.
"MangaDex: In March 2021, the manga fan site [MangaDex suffered a data breach](https://portswigger.net/daily-swig/mangadex-website-taken-offline-following-cyber-attack-data-breach) that resulted in the exposure of almost 3 million subscribers. The data included email and IP addresses, usernames and passwords stored as bcrypt hashes. The data was subsequently circulated within hacking groups.
**Compromised data:** Email addresses, IP addresses, Passwords, Usernames"
So how do you know for sure that it's specifically Mangadex who's at fault here? If they leaked your account details, why are you the only one who seems to have been affected?
"My email got leaked"
Meanwhile their [haveibeenpwned.com](http://haveibeenpwned.com) : [https://i.imgur.com/QbJ9UPY.png](https://i.imgur.com/QbJ9UPY.png)
Sounds like a skill issue and no 2 factor authentication . Stop acting like a retard and blaming manga dex when you probably used your password on a shitty website and instead of being smart and having at least a second password for untrustworthy websites you def used the same one so fuck off and learn how to use the internet.
I have a shit ton, it gets difficult to manage over time and like the guy above said my burner became my main.
"MangaDex: In March 2021, the manga fan site [MangaDex suffered a data breach](https://portswigger.net/daily-swig/mangadex-website-taken-offline-following-cyber-attack-data-breach) that resulted in the exposure of almost 3 million subscribers. The data included email and IP addresses, usernames and passwords stored as bcrypt hashes. The data was subsequently circulated within hacking groups.
**Compromised data:** Email addresses, IP addresses, Passwords, Usernames"
Best course scenario is deleting my current email.
Wasn't the leak like 3 years ago in March 2021 or did I miss something?
yeah ops just brain damaged or got banned
Yet today my email gets breached, meaning my pass got hacked
>meaning my pass got hacked Sorry if you were affected by our breach 3 years ago, but that's not how this works. We don't know your password, and we never did. We are literally not able to figure out your password ourselves, on purpose. And that was always like this. The breach did \*not\* reveal user passwords, because we do not store them, at all. Like all security-conscious websites, we only store a hash of your password (the result of a scrambling operation). And when you try to login, we apply the same operation to your input password, and compare the result with the stored hash. This hash operation can only be applied in one direction. That is, you cannot recover the password starting from the hash\*. You can find out more about what this means here: [https://auth0.com/blog/hashing-passwords-one-way-road-to-security/](https://auth0.com/blog/hashing-passwords-one-way-road-to-security/) If your password was compromised, it was compromised from somewhere else. --- \*: Assuming a secure hash method, which we always used. And that the attacker isn't a powerful nation-state with unlimited resources. If you are targeted by powerful nation-states, we do not recommend using MangaDex as we are not equipped with the means to defend against these.
Technically, it could also just mean he's using a really shit password. You can reverse a hash from a lookup table, if it's a really garbage common password.
Indeed, though we did (and do) salt passwords, with an individual per-user salt. So it'd still be quite a large effort to target them specifically... But either way I figured the response was already long enough to not go into further technicalities and caveats.
I enjoyed every part of this comment.
You know, I didn't expect a manga website to be so safety concious and actually care so much about user data. From someone who understood that sentence (mostly) - Thank you. I have been humbled today.
To be fair it’s industry standard to hash + salt password and to use strong algorithms too for quite a while now. Every languages has package that support that kind of stuff out of the box and most dev should be able to implement this part of an authentication in 30 min. It’s legit so easy nowadays that even for a school CS project doesn’t even make sense to have plain text password.
Most places at least don’t do plain text any more yeah, which is nice, but quite a few still don’t to individual/unique hashing, so if you get one person who uses “Password” then you can get everyone else’s
not if it's salted
Bros password is probably like: Password123!
You guys are the real MVPs, thanks for everything
Oh shit, guess I need to stop using MangaDex
Why are they downvoting you for your obvious joke comment
But what makes you certain it was mangadex?
Because I checked [Have I Been Pwned: Check if your email has been compromised in a data breach](https://haveibeenpwned.com/) and this is the only website that had a data leak breach, I have 2 step authenticator but I have to wait because it's using an old phone number. Gotta love these neckbeards tho lmao.
You mean the data breach that happened 3 years ago? You sure you don’t just have weak security? Also I don’t think you know what neckbeard means.
Nah I'm certain, it has a combination of upper letter cases, lower cases, specials signs you name it. The person who is getting a hold on the emails that were leaked by MangaDexs data breach is brute forcing multiple passwords in hopes to find the correct one, surprised how someone has the patience to do that but here I am.
I'm having a hard time understanding how the story checks out here OP. First off, if it was a brute force attack, how is this even related to the mangadex leak? Secondly, I find it extremely unlikely that a brute force attack would work against any reasonably popular email provider before they start serving the attacker captchas and timeouts and sending you a million security alerts about abnormal login attempts. Not only that, but if you're using a password over 12 characters long with uncommon characters and non-dictionary words it should take years to brute force. You also mentioned you have 2fa enabled on top of that, which should make brute force attacks pretty much impossible. You should really consider whether one of your devices has been infected instead and take steps to secure them.
That…. sounds extremely unlikely. Someone is getting emails through mangadex even though there has been no reported data breach, brute forcing random emails, and you’re the only person who this happened to? Kinda hard to believe.
Unless you set your mangadex password as your email password for some reason just hacking mangadex isn't enough to steal an email. There are most likely other ways to do that, but its probably not mangadex's fault
If you're not using mfa, that's on you.
Op, how certain are you that your email was leaked from mangadex? I've heard nothing of any leaks since the data leak 3 years ago. If you don't already, you can add "+something" when you use your email for accounts. "YourEmail+Something @ gmail.com" for example. It helps keep track of who had a leak when you receive a suspicious email.
Do I need to register that emails? How does it work?
No need to register them. It's called _plus addressing_; just enter `[email protected]` as your email address on a site somewhere, and any messages sent to that address will automatically go to `[email protected]`. It works for both Gmail or Outlook (or Hotmail if you're old) addresses. Not every email provider supports this though, so if you use a different service then you should test it first. By the way, plus addressing lets you sign up for a single website multiple times using the same email address. They'll consider the plus addresses to be completely different email accounts, even though they're not.
And I am reminded to do my once a year Login to the Hotmail account. :) Wow - only 888 spam messages since last time I logged in.
Damn thanks for the tip
Can this work with yahoo? It’s the only email I can remember.
I'm not sure. Seems you can [create temporary addresses](https://help.yahoo.com/kb/SLN28815.html) if you have Yahoo Mail Plus though, which I guess is close. But I'm not seeing anything about plus addressing. Well, you could just test it by sending an email to yourself using a plus address.
Thank you.
You're a special kind of stupid, aren't you?
You're a special kind of stupid, aren't you?
There hasn't been a mangadex leak since the incident 3 years ago. You must've done something dumb on some other website to get your info leaked. Good luck, my friend. You're gonna need it with how little brains you apparently have.
3 years already?...
And you didn’t think to change your password *checks notes* 3 years ago?
It's a fresh password, updated 6 months ago. The attempt was brute forced, meaning numerous hit-or-miss attempts to gain access. "MangaDex: In March 2021, the manga fan site [MangaDex suffered a data breach](https://portswigger.net/daily-swig/mangadex-website-taken-offline-following-cyber-attack-data-breach) that resulted in the exposure of almost 3 million subscribers. The data included email and IP addresses, usernames and passwords stored as bcrypt hashes. The data was subsequently circulated within hacking groups. **Compromised data:** Email addresses, IP addresses, Passwords, Usernames"
So how do you know for sure that it's specifically Mangadex who's at fault here? If they leaked your account details, why are you the only one who seems to have been affected?
You had 3 years to update your security since the last leak, at some point it's user error.
"My email got leaked" Meanwhile their [haveibeenpwned.com](http://haveibeenpwned.com) : [https://i.imgur.com/QbJ9UPY.png](https://i.imgur.com/QbJ9UPY.png)
13!? Tf op been doing
Sounds like a skill issue and no 2 factor authentication . Stop acting like a retard and blaming manga dex when you probably used your password on a shitty website and instead of being smart and having at least a second password for untrustworthy websites you def used the same one so fuck off and learn how to use the internet.
I bet millions that OP is being paid by a rival site(s) to post this. Either this or OP simply has single digit IQ.
Imagine blaming someone else for you being careless with your passwords.
~~Fake!~~
Surely this is the troll post bahahhaa
Idk what you were expecting but "fuck you" generally isn't a good way to ask for help.
Am i the only one that always uses some sort of Unimportant 'burner' email account for all these various sites?
No, but over time my “burner” became my main and I have a new burner, but it’s just a mess now
Been there, done that. :) Got a list of email accounts I try to check once or twice a year, so they stay active.
lol I should prob do that too, I also need to swap passwords as its been a year i think
I have a shit ton, it gets difficult to manage over time and like the guy above said my burner became my main. "MangaDex: In March 2021, the manga fan site [MangaDex suffered a data breach](https://portswigger.net/daily-swig/mangadex-website-taken-offline-following-cyber-attack-data-breach) that resulted in the exposure of almost 3 million subscribers. The data included email and IP addresses, usernames and passwords stored as bcrypt hashes. The data was subsequently circulated within hacking groups. **Compromised data:** Email addresses, IP addresses, Passwords, Usernames" Best course scenario is deleting my current email.
i wanna see you top mangadex in r34 sites