Post Reply Can't login
7 cr points
Send Message: Send PM GB Post
29 / M
Offline
Posted 2/24/15
2 weeks ago I went to log into my premium account that I've had for 6 years and was presented with an invalid information message. I tried to reset my password (even though I know it was correct) and was presented with a message that my email was not on file. I submitted a ticket and 2 days later I received a response asking for my payment information to verify I had purchased a premium account. After giving said information I have yet to hear a reply in over a week, which I find to be ridiculous, to not even give me a single word on the issue or that they were even investigating it. I've created this secondary account to post on these forums to see if a moderator may be able to look into this for me as well and find out why I have yet to hear a single word about why my account seems to suddenly inaccessible even though I can still pull up my account at http://www.crunchyroll.com/user/kschaffner and see that it does exist.
Posted 2/24/15
i tried to go to your account but apparently it doesn't exist any more :/
One Punch Mod
99339 cr points
Send Message: Send PM GB Post
F / Boston-ish
Offline
Posted 2/24/15

koaxe wrote:

2 weeks ago I went to log into my premium account that I've had for 6 years and was presented with an invalid information message. I tried to reset my password (even though I know it was correct) and was presented with a message that my email was not on file. I submitted a ticket and 2 days later I received a response asking for my payment information to verify I had purchased a premium account. After giving said information I have yet to hear a reply in over a week, which I find to be ridiculous, to not even give me a single word on the issue or that they were even investigating it. I've created this secondary account to post on these forums to see if a moderator may be able to look into this for me as well and find out why I have yet to hear a single word about why my account seems to suddenly inaccessible even though I can still pull up my account at http://www.crunchyroll.com/user/kschaffner and see that it does exist.


I can get to that account, so yes it does exist. But mods can't really do anything about it. There have been recent reports from several users that their accounts were "stolen" and that whoever got into them changed the password and email address. Your best bet is to contact the individual support person who had contacted you (maybe also check your spam folder to see if a recent reply from them ended up there).

If you have other accounts not on Crunchy which use the same username/email/password you should change your passwords on them so that you aren't using the same user/pw combination in more than one place.
7 cr points
Send Message: Send PM GB Post
29 / M
Offline
Posted 2/24/15
I've sent 2 emails back to the original person with zero word back from them in over a week. I just opened up a new ticket. I don't know how my account could have been stolen. I've been an IS Support Specialist for 9 years and am very proficient on PCs and fixing any issues that they may have. My machine is not infected with viruses, spyware or adware. I don't use the same passwords for every site that I'm on through good practices. It's just incredibly frustrating to get zero replies from support when I've been such a long time paying customer.
106603 cr points
Send Message: Send PM GB Post
57 / M / U.S.A. (mid-south)
Offline
Posted 2/24/15

koaxe wrote:

I don't use the same passwords for every site that I'm on through good practices.

So would it be correct to assume you've never clicked on a link in an e-mail that appeared to be from CR, and been prompted to log in when you arrived at the site?

7 cr points
Send Message: Send PM GB Post
29 / M
Offline
Posted 2/24/15

TheAncientOne wrote:


koaxe wrote:

I don't use the same passwords for every site that I'm on through good practices.

So would it be correct to assume you've never clicked on a link in an e-mail that appeared to be from CR, and been prompted to log in when you arrived at the site?



Correct, I am well aware of scam emails and would not click on a link from a questionable email without checking the hyperlink itself to make sure it doesn't redirect to another site. I haven't gotten a crunchyroll email in a long time though, I unsubscribed from the newsletter and I don't get queue updates anymore either. I manually go to the site and login on the days that I have anime I watch that is released or I feel like browsing for something.
106603 cr points
Send Message: Send PM GB Post
57 / M / U.S.A. (mid-south)
Offline
Posted 2/24/15

koaxe wrote:

Correct, I am well aware of scam emails and would not click on a link from a questionable email without checking the hyperlink itself to make sure it doesn't redirect to another site. I haven't gotten a crunchyroll email in a long time though, I unsubscribed from the newsletter and I don't get queue updates anymore either. I manually go to the site and login on the days that I have anime I watch that is released or I feel like browsing for something.

Frankly, especially since non-Roman characters are now allowed in URL, it has become a lot easier for a phisher to set up a site that at first (and perhaps second) glance looks like the correct URL.

Given that you haven't even gotten a CR e-mail in a while, however, that doesn't seem to be the exploit that was used.

Taking the remainder of what you said at face value (password not shared with other sites, no malware on your system) that would appear to leave only a few possibilities:

1. Someone gaining access to your e-mail account, having a password reset sent, and deleting said e-mail before you saw it.

2. Someone guessing or brute forcing your password (which shouldn't be possible if it was sufficiently long and random).

3. An unknown exploitable weakness in CR's password system. (This is the possibility that worries me the most).

Der Zoodirektor
26133 cr points
Send Message: Send PM GB Post
35 / M / Germany
Offline
Posted 2/24/15
The most common way of intruders compromising accounts is by using log-in data stolen from other websites. Means affected users play a great part in the process by using the same email/password combination on several sites.


In any case, it seems that he got his account back through the regular support channels.
106603 cr points
Send Message: Send PM GB Post
57 / M / U.S.A. (mid-south)
Offline
Posted 2/25/15 , edited 2/25/15

shinryou wrote:

The most common way of intruders compromising accounts is by using log-in data stolen from other websites. Means affected users play a great part in the process by using the same email/password combination on several sites.

In this case, the user was asserting that was not the case:

I don't use the same passwords for every site that I'm on through good practices.

That said, I've been around long enough to know that can sometimes mean "I use the same base password and change the numbers at the end", but I have my doubts that is the case here.


As has been suggested before, it would be nice if CR could allow switching in advance to an alternate method for password resets (such as sending a text message to a phone, as someone in possession of a compromised database is very unlikely to also have the users phone).

Having the option of turning on a requirement of second factor authentication for password or e-mail changes would also help.

You must be logged in to post.