Privacy Ninja

Mangatoon Data Breach Exposes Data from 23 million Accounts

Mangatoon Data Breach Exposes Data from 23 million Accounts

Comic reading platform Mangatoon has suffered a data breach that exposed information belonging to 23 million user accounts after a hacker stole it from an unsecured Elasticsearch database.

Mangatoon is also a very popular iOS and Android app used by millions of users to read online Manga comics.

This week, the data breach notification service Have I Been Pwned (HIBP) added 23 million Mangatoon accounts to their platform.

“Mangatoon had 23M accounts breached in May. The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and salted MD5 password hashes,” tweeted the HIBP account.

The addition of the Mangatoon database comes after HIBP’s owner, Troy Hunt, attempted to contact the company about the data breach without any success.

Also Read: Advisory Guidelines on Key Concepts in the PDPA: 23 Chapters

Mangatoon users can now search for their email address on HIBP and check if their account is part of the breach.

BleepingComputer has sent multiple emails to Mangatoon regarding the data breach but has not heard back.

Stolen from an Elasticsearch database

The data breach was conducted by a well-known hacker named “pompompurin,” who said they stole the database from an Elasticsearch server that was using weak credentials.

“It was ES, they had credentials on it but it was just “password”, they changed the credentials after I emailed telling them but they never notified their customers and never replied,” pompompurin told BleepingComputer.

Also Read: Contract for Service Template: 5 Important Sections

Folder containing the stolen Mangatoon databases
Folder containing the stolen Mangatoon databases
Source: pompompurin

pompompurin shared samples of the database with BleepingComputer, which we confirmed to be valid accounts on the Mangatoon platform.

When asked if they would publicly release or sell the database, they said they would probably leak it at some point.

emails through the FBI’s Law Enforcement Enterprise Portal (LEEP) and stealing customer data from Robinhood.

After the RaidForums hacking forums were seized by law enforcement, pompompurin launched a similar forum called Breached.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us