A few days ago, on 17th March, MangaDex found that a malicious actor, who already had access to an administrative account, had hacked the site. They said a malicious player has been able to access an administrative account by using a session token in an older database leak via flawed session management configuration. They further moved on to locate and patch the vulnerable section of code, also sweeping session data worldwide to prevent further attempts at, using the same technique.
After the breach, they spent several hours analyzing the code and began patching. This occurred alongside the opening of the site following the breach, as we mistakenly believed that the actor could not access it. As a precaution, their infrastructure has been monitored in case the assailant is returned.
Afterward, the attacker even sent an email with the "MangaDex has a DB leak. I suggest you tell their staff about it,” message to a few users according to the website's official notice. Since then, MangaDex has been maintaining the website and its users to prevent further disruption and security problems.
Fortunately, MangaDex was pretty transparent regarding the violation and was providing information via Twitter instead of trying to hush up the details. However, the team recommends taking immediate actions to secure one’s online identity. Further, a database breach is also yet to be verified by them. So, if one uses the same password for all sites, they may want to change their passwords on other sites also.
That being said, MangaDex affirmed that the new website — MangaDex v5 — will stay offline for a full rewrite that can take two weeks to complete. This decision took into consideration many other alternatives, such as the reintroduction of the website in its present state which could be vulnerable under MangaDex to further attacks. The new website will only have the basic features. This implies that only when MangaDex v5 is launched, users can read and upload and follow – like the website of the OG.
The team confirmed that MangaDex v3 is back, though with several features that allow users to export bookmarks. A bug bounty program may also be developed for the team for v5. This helps MangaDex to patch all exploits in the code so that attackers will not be able to break the website.