If you enjoy watching films and TV shows with subtitles, there‘s a good chance you‘ve used OpenSubtitles.org. The site, which has been around since 2001, offers a library of user-contributed subtitles and translations covering millions of videos completely free of charge. Unfortunately, as one of the largest sites of its kind on the web, it recently became the target of a major cyber attack.
In this post, I‘ll provide an in-depth look at the OpenSubtitles hack, what data was compromised, and most importantly what you should do now to keep your information secure if you have an account there. As an experienced cybersecurity writer, I see far too often how common database breaches like this expose people‘s personal data. However, with some simple precautions, you can greatly limit your risk and prevent any headaches down the road.
An Overview of the OpenSubtitles Hack
In August 2021, the administrators of OpenSubtitles received an ominous message. A hacker reached out to them via Telegram claiming to have gained access to the user database and downloaded user information including account details. As proof, they provided a sample of the stolen data showing they had users‘ email addresses, passwords, usernames and more.
The hacker said they would delete the data and not release it publicly, but only if OpenSubtitles paid a bitcoin ransom. After reviewing the evidence, OpenSubtitles worked with the hacker to fix the vulnerability that was exploited to access the database. However, despite the agreement, earlier this year in January 2022 the hacker leaked the stolen information online.
While the exact technical details were not revealed, database hacks typically occur through methods like SQL injection attacks, credential stuffing, compromised insider access, and social engineering. Unfortunately OpenSubtitles joins a long list of major sites like Twitter, LinkedIn, and Twitch that have been breached when hackers discovered a way into their systems.
Over 7 Million Accounts Impacted
OpenSubtitles has been a popular subtitle source for media players and streaming apps like Plex, Kodi, VLC and more for many years. In their post about the incident, OpenSubtitles estimated the compromised database contained data on over 7 million registered user accounts.
While using the site‘s subtitle catalog doesn‘t require signing up, having a registered account allows you to do things like make requests, save favorites, post reviews and more. However it also meant some personal data was stored for those millions of users, which is now potentially in the hands of the hackers.
Specifically, the accessed database likely included the following types of user information:
- Email addresses
- Passwords
- Usernames
- IP addresses
- User account settings
While no financial data is stored by OpenSubtitles, email addresses and passwords can be very useful to cybercriminals. The risks of such a data breach include:
- Accessing the compromised accounts
- Password reuse to access other accounts
- Phishing attacks using stolen info
- Identity theft
- Targeting users for other breaches
- Selling the data on the dark web
So what should you do now if you have an account on OpenSubtitles?
Steps to Take to Secure Your OpenSubtitles Account
If you are among the site‘s millions of registered members, here are the key steps I recommend taking now to ensure your data stays protected:
Change your OpenSubtitles password immediately
Even if you had a strong password before, change it now. Use a new, complex password that is at least 12 characters long and includes uppercase letters, lowercase letters, numbers, and symbols. Avoid common words, phrases, or personal info. This will prevent the hackers from accessing your account with the exposed credentials.
Update any accounts that reused the OpenSubtitles password
One of the biggest risks of a breach like this is password reuse. If hackers find accounts using the same credentials in other places, they can easily gain access there as well.
Carefully check all your important online accounts like email, banking, social media, and shopping sites to see if you used the same password. If so, change those as well to new, strong unique passwords. Enabling two-factor authentication provides an extra layer of protection on accounts that offer it.
Beware phishing attempts using the stolen info
Because your email (and possibly username) was exposed, be extra cautious about any suspicious emails you receive going forward. Hackers may send convincing phishing messages claiming to be from OpenSubtitles and ask you to login on a fake page to steal your new password.
Double check the sender address and links before entering any information. Reputable services will never ask for your password over email. Delete any sketchy requests.
Consider using a password manager
To truly protect yourself going forward, using a unique complex password for every account is crucial. But how do you manage all those passwords effectively? This is where a password manager app comes in very handy.
Password managers like LastPass, 1Password, and Dashlane store and synchronize strong, random passwords across all your devices while keeping them private and encrypted. This lets you have long, unique passwords everywhere without the headache of trying to remember them all.
Sign up with an alternate or temporary email address
One of the best ways to limit your exposure from future breaches is to avoid using your primary personal email when signing up new online services. Instead, consider an alternate or temporary "throwaway" email address.
Some popular disposable email options include Guerrilla Mail, Temp Mail, and 10MinuteMail. This way, even if the account info is compromised, it can‘t be tied back or used to compromise your actual personal or work accounts.
Stay Proactive with Good Security Habits
Unfortunately, database breaches targeting popular online platforms have become increasingly common. But there are many steps you can take to reduce your risk and guard your data:
- Unique complex passwords for every account
- Password manager to securely track passwords
- Enable two-factor authentication when possible
- Watch for breach notifications and reset passwords
- Use throwaway emails for low-risk services
- Beware phishing tricks trying to steal credentials
Staying proactive about your online security is the best way to avoid being impacted by database compromises like the OpenSubtitles breach. Implement these tips and habits to keep your information locked down tight.
While hacks will surely continue, armed with the right knowledge you have the power to protect yourself and make life difficult for the cybercriminals. So stay vigilant, be skeptical of requests for your personal info, and use strong, unique passwords for each service. Doing so will allow you to comfortably enjoy the web‘s many benefits and have confidence your data isn‘t easily accessible to those with bad intentions.
