A recent data leak at the leading comic book reading platform known as Mangatoon has now resulted in private information belonging to 23 million users being exposed.

The breach occurred after a threat operator stole the account data from an Elasticsearch database that did not have sufficient security in place.

Mangatoon is an exceptionally popular application worldwide that is available for both Android and iOS. Statistics show that it is currently used by millions of individuals to read Manga comics online.

Devastating data breach disclosed

News of the breach followed an update from the well-known data leak notification service called Have I Been Pwned? (HIBP). The service added a total of 23 million Mangatoon accounts to its platform and posted a message on Twitter, revealing that names, genders, email addresses, social media account identities, security tokens from social logins, and some password details were among the information compromised.

HIBP added the exposure of the Mangatoon database accounts after the service’s owner, Troy Hunt made an unsuccessful attempt to contact the comic app company with details regarding the breach. Now that the breach has been listed on the HIBP platform, Mangatoon users are able to search for their personal email address and discover if their own account was involved in the incident and take appropriate action. The IT help site BleepingComputer also made inroads to Mangatoon by email requesting information, but received no reply.

Stolen account information from an Elasticsearch database

The breach was performed by a notorious hacker group that goes by the name “pompompurin.” The threat operator stated that it had managed to successfully steal the database from its location on an Elasticsearch server because it was employing weak access credentials.

According to pompompurin, the Elasticsearch server was simply using the word “password” as a password. The use of weak credentials to secure endpoints is among the most common causes of data breaches. Cybersecurity experts recommend that users should create passwords using a three-word combination as this approach offers a tough-to-crack yet easy-to-remember option, serving two purposes simultaneously.

The hacker group shared examples of data obtained during the breach with BleepingComputer and it was able to confirm that they did pertain to valid accounts for the Mangatoon application. When pompompurin was asked if it would sell the database or publicly release the account information it contained, the hacker gang replied that it would likely leak it in the future.

To date, pompompurin has been part of many other high-profile data breaches. These activities included stealing financial services company Robinhood’s customer data and sending fake cyberattack messages via the Law Enforcement Enterprise Portal (LEEP) operated by the Federal Bureau of Investigation (FBI).

Originally operating through the nefarious dark web forum RaidForums, pompompurin launched a brand new and similar forum known as Breached after the hacking site was seized and removed by law enforcement teams. The price at which stolen data is auctioned can vary widely, and it is not uncommon for it to be released to other cybercriminals free of charge to boost a hacker’s reputation.