Cybercriminal known as pompompurin has stolen data belonging to 23 million users of a comic reading platform Mangatoon. According to the hacker, in May, they syphoned the database from Mangatoon’s Elasticsearch server that was protected with a weak password.

Cybercriminal has contacted Mangatoon and warned it about the security problem, and the platform did change the password. Nevertheless, it wouldn’t notify its customers about the breach.   

Last week, the data breach notification service Have I Been Pwned (HIBP) added 23 million Mangatoon accounts – names, email addresses, genders, social media account identities, auth tokens from social logins and salted MD5 password hashes – to their platform. Notably, 27% of this data was already presented in HIBP database.

Before adding the leaked information, the HIBP owner Try Hunt tried to contact Mangatoon first, but didn’t succeed.

Pompompurin is going to publish or sell the stolen database sometime in the future.

The hacker has drawn attention of cybersecurity professionals and law enforcement in November, 2021, when they successfully hacked FBI’s email server. For a long time, the hacker was the regular contributor on data leak forum known as RaidForums. After its servers were seized by law enforcement, pompompurin launched a similar forum called Breached.