In May 2022, the Hong Kong based Manga service Mangatoon suffered a data breach that exposed 23M subscriber records. The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and passwords stored as salted MD5 hashes. Mangatoon did not respond to multiple attempts to make contact regarding the breach.
Bleeping Computer covers how the breach happened, it was an Elastic Search instance with the password “password”.
Troy Hunt covered in Weekly Update 303 and then again in 304:
Summary of the breach
Accounts breached: 23040238
Breached on: May 13, 2022
Exposed data: Auth tokens, Avatars, Email addresses, Genders, Names, Passwords, Social media profiles, and Usernames
Added on: July 06, 2022