Post Reply Found a website listing member's login ID and PW
29035 cr points
Send Message: Send PM GB Post
35 / M / Riverside NJ
Offline
Posted 4/8/18 , edited 4/8/18
So during a random google search, I was shocked to discover my login username and PW listed on a forum with a .me domain and the language was in spanish.

I've changed my password already, and google translate shows the people there talking about accessing user accounts but not changing the passwords so they can watch what we pay for.

I'm not sure who to notify about this, but how was this information leaked exactly? I don't receive phishing emails from crunchyroll.

I can provide a link if needed. Seriously messed up.

Mine is not the only profile in this post...

59925 cr points
Send Message: Send PM GB Post
32 / M / Dallas, TX
Offline
Posted 4/8/18 , edited 4/8/18

daflyinskwirl wrote:

So during a random google search, I was shocked to discover my login username and PW listed on a forum with a .me domain and the language was in spanish.

I've changed my password already, and google translate shows the people there talking about accessing user accounts but not changing the passwords so they can watch what we pay for.

I'm not sure who to notify about this, but how was this information leaked exactly? I don't receive phishing emails from crunchyroll.

I can provide a link if needed. Seriously messed up.

Mine is not the only profile in this post...



You should also de-activate any devices here: /acct/?action=devices; if people who accessed your account did so through a browser, you might still see activity until their cookies expire and force them to try to login again. It's recommended you use a strong, unique (not used on any other site) password to prevent password leaks from one service from allowing malicious individuals from accessing your account on other sites.
29035 cr points
Send Message: Send PM GB Post
35 / M / Riverside NJ
Offline
Posted 4/8/18 , edited 4/8/18
I saw two devices that were activated on my account that are not mine around the same time as that post was made. I have deactivated them.

There is 104 accounts and passwords listed in the forum post as well as what the username has access to.



Is crunchyroll admin interested in stuff like this?

It seems the entire website is dedicated to stealing access to people's premium services.
37630 cr points
Send Message: Send PM GB Post
M
Offline
Posted 4/8/18 , edited 4/8/18
This might apply, there was an incident in November:
https://help.crunchyroll.com/hc/en-us/articles/115005456963-Information-on-the-malicious-CrunchyViewer-exe-software

I'm sure they're interested, but may not be able to address it through the forum on Sunday.
Der Zoodirektor
26961 cr points
Send Message: Send PM GB Post
36 / M / Germany
Online
Posted 4/9/18 , edited 4/9/18

marklebid wrote:

This might apply, there was an incident in November:
https://help.crunchyroll.com/hc/en-us/articles/115005456963-Information-on-the-malicious-CrunchyViewer-exe-software

I'm sure they're interested, but may not be able to address it through the forum on Sunday.


There is no relation to the incident in November.

There are basically people out there who check credentials stolen on other websites against our login, and then share the working ones online.
The underlying issue is customers recycling passwords across multiple websites, which makes it incredibly easy to steal all or parts of their online persona.
15050 cr points
Send Message: Send PM GB Post
☆Land of sweets☆
Online
Posted 4/9/18 , edited 4/9/18

shinryou wrote:


marklebid wrote:

This might apply, there was an incident in November:
https://help.crunchyroll.com/hc/en-us/articles/115005456963-Information-on-the-malicious-CrunchyViewer-exe-software

I'm sure they're interested, but may not be able to address it through the forum on Sunday.


There is no relation to the incident in November.

There are basically people out there who check credentials stolen on other websites against our login, and then share the working ones online.
The underlying issue is customers recycling passwords across multiple websites, which makes it incredibly easy to steal all or parts of their online persona.


although password reuse is one possible reason for people getting hacked, it's far from being the sole reason. other possible reasons include:

1. having a keylogger in the system. a malware that records the keystrokes and sends it to a criminal.

2. logging in on public computers (such as in school computers, public libraries, etc) and forgetting to log off
(logging in on such computers is already a horrible idea in the first place)

3. phishing attack (emails can look very, very convincing. it doesn't help that Crunchyroll doesn't have the security in place to stop phishing emails, even though the technology already existed for years - DMARC)

4. password hash collision attack. this would depend on how strongly Crunchyroll uses hashing (md5/salting/etc). the latest version with the most update security is obviously better. md4 is broken and md5 is also broken (though the latter requires deep pockets)

5. social engineering.no matter how strong the password is, if the customer support is fooled into giving access to account, all hope is lost. apparently, paypal suffered from this. hopefully this is not the case with Crunchyroll. then again, they only have one engineer left...

6. brute-force / dictionary attack. having a weak passw0rd123 won't help secure one's account.

7. hacking through email (aka backdoor hacking): if the email has a weak password, the attacker could simply hack the email and then reset the password to his or her liking. a password with only 8 to 12 characters is probably a joke to hack with today's computers.

there may be more besides the ones from the list above.
Der Zoodirektor
26961 cr points
Send Message: Send PM GB Post
36 / M / Germany
Online
Posted 4/9/18 , edited 4/9/18

namealreadytaken wrote:

although password reuse is one possible reason for people getting hacked, it's far from being the sole reason. other possible reasons include:

1. having a keylogger in the system. a malware that records the keystrokes and sends it to a criminal.

2. logging in on public computers (such as in school computers, public libraries, etc) and forgetting to log off
(logging in on such computers is already a horrible idea in the first place)

3. phishing attack (emails can look very, very convincing. it doesn't help that Crunchyroll doesn't have the security in place to stop phishing emails, even though the technology already existed for years - DMARC)

4. password hash collision attack. this would depend on how strongly Crunchyroll uses hashing (md5/salting/etc). the latest version with the most update security is obviously better. md4 is broken and md5 is also broken (though the latter requires deep pockets)

5. social engineering.no matter how strong the password is, if the customer support is fooled into giving access to account, all hope is lost. apparently, paypal suffered from this. hopefully this is not the case with Crunchyroll. then again, they only have one engineer left...

6. brute-force / dictionary attack. having a weak passw0rd123 won't help secure one's account.

7. hacking through email (aka backdoor hacking): if the email has a weak password, the attacker could simply hack the email and then reset the password to his or her liking. a password with only 8 to 12 characters is probably a joke to hack with today's computers.

there may be more besides the ones from the list above.


Credential cross-checking using data from breach dumps outranks any other avenue in regards to consumer accounts by wide margin. And I mean a WIDE margin.
37630 cr points
Send Message: Send PM GB Post
M
Offline
Posted 4/9/18 , edited 4/10/18

shinryou wrote:There is no relation to the incident in November.

There are basically people out there who check credentials stolen on other websites against our login, and then share the working ones online.
The underlying issue is customers recycling passwords across multiple websites, which makes it incredibly easy to steal all or parts of their online persona.


I'm not the OP but thank you for that.
15050 cr points
Send Message: Send PM GB Post
☆Land of sweets☆
Online
Posted 4/11/18 , edited 4/11/18

shinryou wrote:


namealreadytaken wrote:
5. social engineering.no matter how strong the password is, if the customer support is fooled into giving access to account, all hope is lost. apparently, paypal suffered from this. hopefully this is not the case with Crunchyroll. then again, they only have one engineer left...


Credential cross-checking using data from breach dumps outranks any other avenue in regards to consumer accounts by wide margin. And I mean a WIDE margin.

well, that didn't take long (though in most cases, people trying to access others account by tricking the staff do so without posting on the forums.
http://www.crunchyroll.com/forumtopic-1017653/change-adress-email

please tell me Crunchyroll has some form of safeguard in place to protect legit users against social engineers.
29035 cr points
Send Message: Send PM GB Post
35 / M / Riverside NJ
Offline
Posted 4/17/18 , edited 4/18/18
does crunchyroll keep track of where login attempts are made from?


Wouldn't it be suspicious if my location comes back in the Northeastern US (where I was the last time I even bothered logging in to crunchyroll until this incident) vs where the stolen logins happen? (aka wherever this .de website is located vs where users are logging in from). The forum is almost entirely in Spanish.

Surely I can't be in two places on the planet at once.

I don't access CR on public computers, I haven't been phished through email, I don't have malware on my PC, I do however use the same password across multiple platforms.

That being said however, it's a medium strength password that wouldn't be susceptible to brute force/ dictionary attacks.
I have since changed it.

15050 cr points
Send Message: Send PM GB Post
☆Land of sweets☆
Online
Posted 4/17/18 , edited 4/18/18

daflyinskwirl wrote:

does crunchyroll keep track of where login attempts are made from?


Wouldn't it be suspicious if my location comes back in the Northeastern US (where I was the last time I even bothered logging in to crunchyroll until this incident) vs where the stolen logins happen? (aka wherever this .de website is located vs where users are logging in from). The forum is almost entirely in Spanish.

Surely I can't be in two places on the planet at once.

I don't access CR on public computers, I haven't been phished through email, I don't have malware on my PC, I do however use the same password across multiple platforms.

That being said however, it's a medium strength password that wouldn't be susceptible to brute force/ dictionary attacks.
I have since changed it.



from what i recall, Crunchyroll does check your location - at least when you try to change the password.
not sure if they will actively block suspicious connection (say, a user from the UK suddenly posting from India)

as a precaution, i also recommend making your email password as secure as possible (a long and unique sentence should be good enough).
having 2-factor authentication for your email is also a good idea.
ts0ng 
5013 cr points
Send Message: Send PM GB Post
37 / M
Offline
Posted 4/19/18 , edited 4/19/18
There isn't much you can do about this. Even after removin devices and changing your password, different apps and browsers expire at different times. I have no idea how long, but it must be a long time (or never) because someone has been using my account for months and messing w/ my queue. They probably could chase down where people are connecting from, but I don't think they particularly care. There likely isn't a way to force a log out from whatever app they might be using as well. I think I read that most development was going to vrv and not cr now, so I'd doubt this is going to change. I'm letting my premium acct expire because I'm tired of whoever has hijacked my account changing my queue around and CR not caring.
55194 cr points
Send Message: Send PM GB Post
62 / M / Earth
Offline
Posted 4/19/18 , edited 4/19/18

ts0ng wrote:

There isn't much you can do about this. Even after removin devices and changing your password, different apps and browsers expire at different times. I have no idea how long, but it must be a long time (or never) because someone has been using my account for months and messing w/ my queue. They probably could chase down where people are connecting from, but I don't think they particularly care. There likely isn't a way to force a log out from whatever app they might be using as well. I think I read that most development was going to vrv and not cr now, so I'd doubt this is going to change. I'm letting my premium acct expire because I'm tired of whoever has hijacked my account changing my queue around and CR not caring.


Devices can be deactivated here: /acct/?action=devices

There isn't anything you can do about browser cookies, though.
You must be logged in to post.