Post Reply Is it possible to get in contact with Crunchyroll's security team?
sshum 
5016 cr points
Send Message: Send PM GB Post
24
Offline
Posted 11/10/15
Hey guys, anyone knows if there's a way to contact CR's security team?

After my account got compromised, I started investigating possible avenues of compromise, leaks, etc. and I stumbled on something pretty nasty, a data dump of compromised Crunchyroll credentials, the dumps were not massive, but it was posted just yesterday. For some background, I work in a Cyber Threat role so I'm pretty familiar with compromises. I contacted support but this will probably get ignored.
One Punch Mod
85825 cr points
Send Message: Send PM GB Post
F / Boston-ish
Offline
Posted 11/10/15

sshum wrote:

Hey guys, anyone knows if there's a way to contact CR's security team?

After my account got compromised, I started investigating possible avenues of compromise, leaks, etc. and I stumbled on something pretty nasty, a data dump of compromised Crunchyroll credentials, the dumps were not massive, but it was posted just yesterday. For some background, I work in a Cyber Threat role so I'm pretty familiar with compromises. I contacted support but this will probably get ignored.


I'm sure your message to support about this will not get ignored, but I have alerted the customer support lead to your post here.
sshum 
5016 cr points
Send Message: Send PM GB Post
24
Offline
Posted 11/10/15

lorreen wrote:


sshum wrote:

Hey guys, anyone knows if there's a way to contact CR's security team?

After my account got compromised, I started investigating possible avenues of compromise, leaks, etc. and I stumbled on something pretty nasty, a data dump of compromised Crunchyroll credentials, the dumps were not massive, but it was posted just yesterday. For some background, I work in a Cyber Threat role so I'm pretty familiar with compromises. I contacted support but this will probably get ignored.



I'm sure your message to support about this will not get ignored, but I have alerted the customer support lead to your post here.


Thank you
37709 cr points
Send Message: Send PM GB Post
45 / Seattle
Offline
Posted 11/10/15
I can't thank you enough for finding this, and trying to protect the rest of us. (^_^)



Vaguely-related tangent: I've never understood why the news sometimes calls a person a hero for saving his own life, or for protecting himself. I've always thought of heroes as people who try to protect others.
Der Zoodirektor
23373 cr points
Send Message: Send PM GB Post
34 / M / Germany
Offline
Posted 11/10/15

sshum wrote:

Hey guys, anyone knows if there's a way to contact CR's security team?

After my account got compromised, I started investigating possible avenues of compromise, leaks, etc. and I stumbled on something pretty nasty, a data dump of compromised Crunchyroll credentials, the dumps were not massive, but it was posted just yesterday. For some background, I work in a Cyber Threat role so I'm pretty familiar with compromises. I contacted support but this will probably get ignored.


It basically works like this:
Some website is hacked, the credentials leaked to the net, the attackers fill a large database with those. Then they run a script that uses thousands of open proxies to try the login pages of various VOD services (Netflix, Hulu, Crunchyroll, ...) or other services that involve money for credentials that work on those services.
As each of the proxies and credentials are basically just used once, it is basically not possible to track it, unless the attack reaches the frequency of a DDoS attack.
sshum 
5016 cr points
Send Message: Send PM GB Post
24
Offline
Posted 11/10/15

shinryou wrote:


sshum wrote:

Hey guys, anyone knows if there's a way to contact CR's security team?

After my account got compromised, I started investigating possible avenues of compromise, leaks, etc. and I stumbled on something pretty nasty, a data dump of compromised Crunchyroll credentials, the dumps were not massive, but it was posted just yesterday. For some background, I work in a Cyber Threat role so I'm pretty familiar with compromises. I contacted support but this will probably get ignored.


It basically works like this:
Some website is hacked, the credentials leaked to the net, the attackers fill a large database with those. Then they run a script that uses thousands of open proxies to try the login pages of various VOD services (Netflix, Hulu, Crunchyroll, ...) or other services that involve money for credentials that work on those services.
As each of the proxies and credentials are basically just used once, it is basically not possible to track it, unless the attack reaches the frequency of a DDoS attack.


Certainly hope that is the case. The small amount of leaked credentials do seem to point to this conclusion. The only two instances where I've used my CR password was my Gmail password from 7 years ago, so that's the only reason why I'm overly concerned about it. I do hope that's the case though.
Polysyllabic Support Lead
50494 cr points
Send Message: Send PM GB Post
34 / M / CR HQ
Offline
Posted 11/10/15
Hey everybody, sorry for the delayed response. I've escalated this matter to our security team, and they're having a look at it right now. Hang tight, and in the meantime change your passwords to something strong. Sorry again for the worry, folks, we're on the case.
52525 cr points
Send Message: Send PM GB Post
M
Offline
Posted 11/10/15
I shall use the ultimate sand jutsu to smother this flamboyant attack
37709 cr points
Send Message: Send PM GB Post
45 / Seattle
Offline
Posted 11/10/15 , edited 11/10/15

ShinAmaterasu wrote:

I shall use the ultimate sand jutsu to smother this flamboyant attack


The security team:


(^_^)
Der Zoodirektor
23373 cr points
Send Message: Send PM GB Post
34 / M / Germany
Offline
Posted 11/11/15 , edited 11/11/15

Anonymooo wrote:

Hey everybody, sorry for the delayed response. I've escalated this matter to our security team, and they're having a look at it right now. Hang tight, and in the meantime change your passwords to something strong. Sorry again for the worry, folks, we're on the case.


Let me add:

It is more important to use a different password for each website you are using. Brute-forcing website logins for weak passwords isn't worth it, the cross-matching approach is a much bigger threat, and much easier to do for the attacker.
You must be logged in to post.