Post Reply My account was compromised
Posted 10/8/17 , edited 10/9/17
As the title suggests my account has been compromised and i can no longer log in to it. I had to create a new account to post about this issue. I have an email from crunchyroll support with the email my account has been updated to, that isnt mine. I would love to resolve this issue.
54287 cr points
Send Message: Send PM GB Post
61 / M / Earth
Offline
Posted 10/8/17 , edited 10/11/17
Put in a direct support request: /contact
37757 cr points
Send Message: Send PM GB Post
47 / Seattle
Offline
Posted 10/9/17 , edited 10/11/17
Unless CR has improved security and customer service (unlikely since for years now, scores of people have reported exactly what you're experiencing), check the credit card you used to buy the subscription. There's a good chance someone's been buying stuff in the CR store. They've known about gaping security holes* for a long time and people have pleaded with them to fix them, but they've flat-out ignored it for years.

I've seen them claim in the forums that they'll refund the false charges to people, but they have a strange habit of telling people to take the discussion with them offline. They also purge threads like these right after restoring the victim's account. And you'd think that if they were the ones hemorrhaging money off the false charges, they'd have fixed it long ago.

* - no password reset gets sent to original email, no option to keep your card from being used for anything but subscription, as long as you're subscriobed you're forced to leave your credit card available for charges in their badly-flawed system, etc.
Der Zoodirektor
26630 cr points
Send Message: Send PM GB Post
35 / M / Germany
Offline
Posted 10/9/17 , edited 10/11/17

arimareiji wrote:

Unless CR has improved security and customer service (unlikely since for years now, scores of people have reported exactly what you're experiencing), check the credit card you used to buy the subscription. There's a good chance someone's been buying stuff in the CR store. They've known about gaping security holes* for a long time and people have pleaded with them to fix them, but they've flat-out ignored it for years.

I've seen them claim in the forums that they'll refund the false charges to people, but they have a strange habit of telling people to take the discussion with them offline. They also purge threads like these right after restoring the victim's account. And you'd think that if they were the ones hemorrhaging money off the false charges, they'd have fixed it long ago.

* - no password reset gets sent to original email, no option to keep your card from being used for anything but subscription, as long as you're subscriobed you're forced to leave your credit card available for charges in their badly-flawed system, etc.


We have a CVV check requirement for all store purchases. We are not storing that anywhere in the settings, it has to be manually entered. It is not possible to make an unauthorized purchase from the store with a saved credit card.

We obviously do not exchange account and payment data with users on a public forum. That is why we want all of these issues to be sent in via the proper, more secure channels. It's definitely not a weird habit, it needs to be done to protect the users's account and privacy.

We do not delete any such threads on the help forums. We do delete threads opened by deleted/banned users on other parts of the forum, so every now and then a volunteer moderator may have archived such a thread by accidents. Forum administrators, such as me or other members of our customer service, will not delete any such threads.
37757 cr points
Send Message: Send PM GB Post
47 / Seattle
Offline
Posted 10/9/17 , edited 10/11/17

shinryou wrote:


arimareiji wrote:

Unless CR has improved security and customer service (unlikely since for years now, scores of people have reported exactly what you're experiencing), check the credit card you used to buy the subscription. There's a good chance someone's been buying stuff in the CR store. They've known about gaping security holes* for a long time and people have pleaded with them to fix them, but they've flat-out ignored it for years.

I've seen them claim in the forums that they'll refund the false charges to people, but they have a strange habit of telling people to take the discussion with them offline. They also purge threads like these right after restoring the victim's account. And you'd think that if they were the ones hemorrhaging money off the false charges, they'd have fixed it long ago.

* - no password reset gets sent to original email, no option to keep your card from being used for anything but subscription, as long as you're subscriobed you're forced to leave your credit card available for charges in their badly-flawed system, etc.


We have a CVV check requirement for all store purchases. We are not storing that anywhere in the settings, it has to be manually entered. It is not possible to make an unauthorized purchase from the store with a saved credit card.

We obviously do not exchange account and payment data with users on a public forum. That is why we want all of these issues to be sent in via the proper, more secure channels. It's definitely not a weird habit, it needs to be done to protect the users's account and privacy.

We do not delete any such threads on the help forums. We do delete threads opened by deleted/banned users on other parts of the forum, so every now and then a volunteer moderator may have archived such a thread by accidents. Forum administrators, such as me or other members of our customer service, will not delete any such threads.

This is mincing words. When a victim of fraud creates a new account to ask for help in the forums, they typically use their normal email. One policy is to delete the new account if it uses the same email (typically true). Another policy is to delete entire threads started by deleted accounts, no matter how many other people have posted in the thread. The best anyone can say is that by "fortunate coincidence" (from CR's point of view), this results in purging threads started by victims of fraud.

Occasions where victims are told to take conversations offline are not limited to those that require users' personal data.

If policy has changed and you no longer allow people to run up large bills in the CR store with only the credit card number on file, that's great. For quite a while, the majority of account-theft victims reported this as well as long /contact waits that had prompted them to come to the forum in the first place.

Does CR still have a policy (which is decided by CR, not as a matter of law) of:
* Allowing someone to change an account's contact email without sending a password-reset option to the old email, despite multiple requests for this security feature used by other services?
* No option to take a credit card number out of the system (except by permanently unsubscribing)? Please don't return to "Netflix does it too" (I've previously showed you the chat transcripts showing they don't) or "We have to in order to charge for the subscription". It makes no sense to force someone who renews once a year to keep it on file and vulnerable all year - unless CR is hoping they'll forget and get auto-renewed, as is evident with the "cancel at any time free trial" that doesn't let people cancel at any time.
* No option to prevent a credit card number kept on file (as a mandatory condition of subscribing) from being used in the CR store?
*
37757 cr points
Send Message: Send PM GB Post
47 / Seattle
Offline
Posted 10/9/17 , edited 10/11/17
An addendum to "CR doesn't purge the threads, moderators do it":
Did the moderators create the above-mentioned policies that result in fraud victims' threads being purged, or did CR set those policies and require moderators to purge the entire threads (not just the posts by the account the victim created)?
Posted 10/9/17 , edited 10/9/17
I'm having similar problems to the person who started this thread a little help getting back into my account would be nice the fee for the month has already been paid and I cannot access my account and when I try to send email to reset email never comes
Der Zoodirektor
26630 cr points
Send Message: Send PM GB Post
35 / M / Germany
Offline
Posted 10/10/17 , edited 10/11/17

arimareiji wrote:

An addendum to "CR doesn't purge the threads, moderators do it":
Did the moderators create the above-mentioned policies that result in fraud victims' threads being purged, or did CR set those policies and require moderators to purge the entire threads (not just the posts by the account the victim created)?


The mods do not normally touch threads the help forums at all. It would be rather unhelpful, if they started messing with my work here.
37757 cr points
Send Message: Send PM GB Post
47 / Seattle
Offline
Posted 10/10/17 , edited 10/11/17

shinryou wrote:
The mods do not normally touch threads the help forums at all. It would be rather unhelpful, if they started messing with my work here.


Then I'm not clear on why you asserted that the reason those threads disappear is through the moderators. If neither they nor paid staff are the ones who delete them, security has even more unaddressed holes than we already knew.

Edit: I looked up the thread where this first came up.

shinryou wrote:


arimareiji wrote:

Just curious... when people post threads about their account being compromised are they going to start routinely disappearing, or was the one that disappeared this morning a fluke for reasons that can't be disclosed?

When I went to check on whether the person had any luck resolving their issue (I was kinda worried about them), I saw that the thread with their post and my reply letting them know the steps they needed to take is apparently gone.


As email have to be unique in the system, we have to wipe secondary accounts upon restoring their proper account, if they used the same email address for those. This will lead to some posts without a poster upon the deletion of the secondary user.


Der Zoodirektor
26630 cr points
Send Message: Send PM GB Post
35 / M / Germany
Offline
Posted 10/10/17 , edited 10/11/17

arimareiji wrote:


shinryou wrote:
The mods do not normally touch threads the help forums at all. It would be rather unhelpful, if they started messing with my work here.


Then I'm not clear on why you asserted that the reason those threads disappear is through the moderators. If neither they nor paid staff are the ones who delete them, security has even more unaddressed holes than we already knew.

Edit: I looked up the thread where this first came up.

shinryou wrote:


arimareiji wrote:

Just curious... when people post threads about their account being compromised are they going to start routinely disappearing, or was the one that disappeared this morning a fluke for reasons that can't be disclosed?

When I went to check on whether the person had any luck resolving their issue (I was kinda worried about them), I saw that the thread with their post and my reply letting them know the steps they needed to take is apparently gone.


As email have to be unique in the system, we have to wipe secondary accounts upon restoring their proper account, if they used the same email address for those. This will lead to some posts without a poster upon the deletion of the secondary user.




The threads don't disappear. Only the accounts of the original posters are gone, as I have to delete the secondary accounts to transfer back the email addresses to the proper account. It's not possible for 2 accounts to exist under the same email address.
Nobody deletes full threads on the help forums.
37757 cr points
Send Message: Send PM GB Post
47 / Seattle
Offline
Posted 10/10/17 , edited 10/11/17

shinryou wrote:
The threads don't disappear. Only the accounts of the original posters are gone, as I have to delete the secondary accounts to transfer back the email addresses to the proper account. It's not possible for 2 accounts to exist under the same email address.
Nobody deletes full threads on the help forums.


But that was exactly what I asked at the time.

I had noticed threads disappearing but that was the first one I could conclusively demonstrate had disappeared. If threads aren't supposed to disappear, then your response to my question (you affirmed that it was because of the OP account being deleted) was misleading at best.

~~~~~
Edit: Emphasis added

shinryou wrote:


arimareiji wrote:

Just curious... when people post threads about their account being compromised are they going to start routinely disappearing, or was the one that disappeared this morning a fluke for reasons that can't be disclosed?

When I went to check on whether the person had any luck resolving their issue (I was kinda worried about them), I saw that the thread with their post and my reply letting them know the steps they needed to take is apparently gone.


As email have to be unique in the system, we have to wipe secondary accounts upon restoring their proper account, if they used the same email address for those. This will lead to some posts without a poster upon the deletion of the secondary user.
37757 cr points
Send Message: Send PM GB Post
47 / Seattle
Offline
Posted 10/10/17 , edited 10/11/17
For reference: Just prior to your (shinryou's) response quote above from 2015, asharka said this (emphasis added):

asharka wrote:


arimareiji wrote:

Just curious... when people post threads about their account being compromised are they going to start routinely disappearing, or was the one that disappeared this morning a fluke for reasons that can't be disclosed?

When I went to check on whether the person had any luck resolving their issue (I was kinda worried about them), I saw that the thread with their post and my reply letting them know the steps they needed to take is apparently gone.

I see that one got closed because the thread creator nuked the posting account. It likely got resolved privately with PMs or emails. They routinely close all forum threads where the OP/creator has completely deleted their account with the /nuke page, no matter what the subject of the thread was or what forum it appeared in.


After your response that I quoted above, you implied that the thread (about a hijacked account) must have been in another forum. I affirmed otherwise.

arimareiji wrote:

shinryou wrote:
I just work on the help forums, I don't know in detail how the other parts of the forum are operated.

It was actually here in the help forums. When I first saw it disappear I thought that maybe someone moved it to another forum board, but that wouldn't make sense because this is where the thread would belong.


After that, you no longer responded. (That seems to happen a lot with bug reports, outages, and details about scams such as the 14-day-"cancel-anytime" trial that you can't cancel on days 1, 2, 13, and 14. No one from CR ever responds) That's probably best for CR, since it makes embarrassing facts disappear more quickly.

But to be fair, at least that method doesn't involve immediate deletion, such as happens with threads about hijacked accounts. It's a pleasant surprise that this one hasn't been deleted yet, since it meets the excuse condition for deletion (OP account deleted).

What probably speaks most loudly is the fact no FAQ is allowed on the Help board. The exact same things happen over and over again (account gets hijacked, a person thought they canceled and got charged again and then you guys tell them no they didn't cancel, etc) - but no FAQ. It must get dreadfully tedious to spend hours a week answering the same questions with
☛"Go talk to /contact."
☛"It must be your fault that someone hacked your account."
☛"You should have waited a few more days for /contact to respond (about someone running up charges on your credit card in our store)."
☛"We asked for clarification and you never responded" (which leads to "What are you talking about? I'm here because I never got a response.").
☛"It's your fault our system didn't cancel you, and we'll call you a liar for saying you did cancel since you never got an email that you didn't know you needed - that our system didn't send you - when it didn't actually cancel you - so you're SOL on getting a refund for all the months we charged."
☛"Well yeah, the 14-day-trial banner does say 'Cancel any time'. But you can't cancel for the first 2 days because supposedly it takes that long to validate a credit card (for the trial you don't need to pay for, since you're canceling). Or the last 2 days because the system jumps the gun and charges you early. Hopefully by the time you don't hear from /contact and a few days have passed, you'll forget for a few months then we'll generously not charge you for the final month."
☛Etc

I sorta admire your tenacity. I don't think I could do this to people for years on end and keep pretending each person is the first one who's ever experienced the problem.
You must be logged in to post.