What's with all the hacked accounts?
29118 cr points
Send Message: Send PM GB Post
83 / F / Bite the pillow.
Offline
Posted 3/15/15 , edited 3/16/15
/.
Posted 3/15/15 , edited 3/15/15
im scared now, someone please hug me
Posted 3/15/15 , edited 3/15/15
Im fairly certain that a DDoS attack can't steal account passes, or get information on accounts.
7111 cr points
Send Message: Send PM GB Post
20 / M / Arkansas
Offline
Posted 3/15/15
Yeah this is worrying
17394 cr points
Send Message: Send PM GB Post
22 / M / Michigan
Offline
Posted 3/15/15
I'm no expert. But doesn't DDoS mean Direct denial of service? Or loss of connection?

Doesn't have anything to do with keyloggers/rats/phishing right?
58676 cr points
Send Message: Send PM GB Post
30 / M / Dallas, TX
Online
Posted 3/15/15

Fuddbender wrote:

I'm no expert. But doesn't DDoS mean Direct denial of service? Or loss of connection?

Doesn't have anything to do with keyloggers/rats/phishing right?


"Distributed Denial of Service" attack.

I suppose it could be possible for hackers to have performed some other kind of attack during the DDoS, but I would hope that CR had the technical and ethical wherewithal to reveal if any login credentials had been retrieved from their servers.

I know that one of the admins, shinryou, was able to find at least one user's credentials on an external list of leaked emails/passwords, but I don't know what the source of those account details was. It's likely that most of the credentials stolen are using either simple/common passwords, or are re-using passwords between sites.
29118 cr points
Send Message: Send PM GB Post
83 / F / Bite the pillow.
Offline
Posted 3/15/15 , edited 3/16/15
/.
Der Zoodirektor
23417 cr points
Send Message: Send PM GB Post
34 / M / Germany
Online
Posted 3/15/15 , edited 3/16/15
Crunchyroll itself does not have a security issue, however - just as is the case with any other website that offers subscription-based streaming services - criminals target the users of our site in order to gain access to those services.
Many users sadly tend to use the same email/password combination across several services/sites, even if those other sites/services are shady. What basically happens is: a shady site/service sells of its user data or is cracked and has its data dumped, this data is then used by both professional and amateur fraudsters and cross-checked against various other sites/services, such as ours, Netflix, Hulu, etc. in order to find accounts that are using the same email/password.

Those people then either use the accounts themselves, or sell them to others via leak boards. Once shared with others, those others often change the password and email address of the account, locking out the original owner and therefore finalizing the takeover.

What this basically means: Never use the same email/username/password combination or close variations on more than one site. Use complex, long, non-dictionary passwords even if sites/services allow simple passwords.
Posted 3/16/15
Here are a few things to note that Crunchyroll can make it harder to take over accounts:

1) When changing emails and passwords, include a page/entry with a question/answer security choice. Like "What's your favorite anime character?"

2) After 5 password attempts, lock the account and send an email to existing account user to re-activate it or tell the user to change the password.

As for account recovery, I suggest users to pay via PAYPAL instead of credit card for your account. It seems to be the simplest method to report back to the "really limited" customer support page. When CrunchyRoll support asked me the following:

Your full name as it appears on your credit card
The brand of your credit card (e.g. Visa)
The last 4 digits of your credit card number
The expiration date of your credit card
The billing zip code of your credit card

I replied back, but still didn't get help. Fortunately, this CC has limited funds. However, but as an IT Analyst, I would NEVER EVER send these information over email as it is a huge security issue, even if it is support purposes. Right now, it's a grey area in PCI compliance, but I'm sure it'll become a red flag in the future.
Dragon
58354 cr points
Send Message: Send PM GB Post
37 / M
Online
Posted 3/16/15


Closed by OP request
You must be logged in to post.