Post Reply Suspicious email from Crunchyroll
9 cr points
Send Message: Send PM GB Post
Offline
Posted 3/20/18 , edited 3/20/18
Today I got a suspicious looking email that appears to be from [email protected] but I was very skeptical of it. It had the right branding and whatnot but this is what it said (with links intentionally broken by ***):


Hi there,

It looks like someone has shared your password somewhere. You should change all your passwords on all sites that you use. Be sure not to use the same password on more than one site, as that's how someone can get into other people's accounts.

We've scrambled your current password, so you'll need to use the Password Reset form:
http://www.crunchy *** roll.com/resetpw

Here is an article about how this happens:
http://www.daily *** mail.co.uk/news/article-2888339/Hackers-release-cache-13-000-passwords-credit-cards-Playstation-Xbox-Amazon-users.html

As well as changing your password, you should also delete any devices on your account and re-add them only as needed.

Please let us know if you have any questions.


Upon seeing this I opened a new tab, came here and selected a password reset from the login page. I got an email that added itself to the same conversation as the first email in gmail, so even gmail thinks they came from the same sender, but the password reset email starts with "Hi Crunchyroll user," and ends with "Regards, The Crunchyroll Team" which made me even more suspicious of the first email. Not only that, but the article it links to is about a breach in 2014 that didn't even include Crunchyroll.

Is this a legit email? Has anyone else received this email? Has there been a breach that we should be aware of?

EDIT: I should mention that I searched for the article separately and did not click either link in the email.
Dragon
69712 cr points
Send Message: Send PM GB Post
Offline
Posted 3/20/18 , edited 3/20/18

Tasrayryn wrote:

Today I got a suspicious looking email that appears to be from [email protected] but I was very skeptical of it. It had the right branding and whatnot but this is what it said (with links intentionally broken by ***):


Hi there,

It looks like someone has shared your password somewhere. You should change all your passwords on all sites that you use. Be sure not to use the same password on more than one site, as that's how someone can get into other people's accounts.

We've scrambled your current password, so you'll need to use the Password Reset form:
http://www.crunchy *** roll.com/resetpw

Here is an article about how this happens:
http://www.daily *** mail.co.uk/news/article-2888339/Hackers-release-cache-13-000-passwords-credit-cards-Playstation-Xbox-Amazon-users.html

As well as changing your password, you should also delete any devices on your account and re-add them only as needed.

Please let us know if you have any questions.


Upon seeing this I opened a new tab, came here and selected a password reset from the login page. I got an email that added itself to the same conversation as the first email in gmail, so even gmail thinks they came from the same sender, but the password reset email starts with "Hi Crunchyroll user," and ends with "Regards, The Crunchyroll Team" which made me even more suspicious of the first email. Not only that, but the article it links to is about a breach in 2014 that didn't even include Crunchyroll.

Is this a legit email? Has anyone else received this email? Has there been a breach that we should be aware of?

EDIT: I should mention that I searched for the article separately and did not click either link in the email.


I haven't seen anything like that myself, but one thing to check if you can is the full source of the email. Usually if it's a scam of some type, it'll have something obviously not Crunchyroll related in the sender, or at the very least in the received chain. If you want, PM me and we can exchange details on how the emails should look, I have a few stored away with the full source that are legit.

For safety, I would recommend changing your password anyway if you see something like this, since it's not the worst idea. I know a lot of breaches happen, and there have been batches of people caught up in, say, an Adobe breach who used the same email/pw on Crunchyroll, which was tested and then listed as hacked. Also check your device list in your profile, again just to be on the safe side.
15519 cr points
Send Message: Send PM GB Post
☆Land of sweets☆
Online
Posted 3/20/18 , edited 3/20/18
here's a more technical information from Lifehacker: How Spammers Spoof Your Email Address (and How to Protect Yourself)

Then, in 2012, a new record type was introduced, designed to work alongside SPF. It's called DMARC, or Domain-based Message Authentication, Reporting, and Conformance. After a single year, it's expanded to protect a large number of consumer mailboxes (although the self-proclaimed 60% is probably optimistic.) Matthew explains the details:



The DMARC boils down to two important flags (although there are 10 total) - the "p" flag, which instructs receiving servers on how to deal with potentially phony emails, either by rejecting, quarantining, or passing; and the "rua" flag, which tells receiving servers where they can send a report about failed messages (usually an email address at the domain admin's security group). The DMARC record solves most of the issues with SPF records by taking the burden of deciding how to respond away from the recipient.

The problem is, not everyone uses DMARC yet.

This handy tool allows for you to query any domain's DMARC record - try it out on a few of your favorites (gawker.com, whitehouse.gov, redcross.org, reddit.com). Notice anything? None of them have published DMARC records. That means that any email host that tries to conform to the rules of DMARC wouldn't have any instructions on how to handle SPF failed emails, and would probably let them through. That's what Google does with Gmail (and Google Apps), and that's why phony emails can get through to your inbox.

To prove that Google does pay attention to DMARC records, look at the DMARC record for facebook.com - the "p" flag idicates that recipients should reject emails, and send a report about it to the postmaster at Facebook. Now try to fake an email from facebook.com and send it to a Gmail address—it won't go through. Now look at the DMARC record for fb.com - it indicates that no email should be rejected, but a report should be made anyway. And if you test it, emails from @fb.com will go through.

Matthew also noted that the "postmaster report" is no joke. When he tried spoofing a domain with a DMARC record, his SMTP server was blocked in less than 24 hours. In our testing, we noticed the same. If a domain is set up properly, they'll put an end to those spoofed messages quickly—or at least until the spoofer uses a different IP address. However, a domain that doesn't have DMARC records is fair game. You could spoof them for months and no one on the sending end would notice—it would be up to the receiving mail provider to protect their users (either by flagging the message as spam based on content, or based on the message's failed SPF check.)

The tools necessary to spoof email addresses are surprisingly easy to get. All you need is a working SMTP server (aka, a server that can send email), and the right mailing software.

Any good web host will provide you with an SMTP server. (You could also install SMTP on a system you own, port 25—the port used for outgoing email, is usually blocked by ISPs. This is specifically to avoid the kind of mass-emailing malware we saw in the early 2000s.) For his prank on us, Matthew used PHP Mailer. It's easy to understand, easy to install, and it even has a web interface. Open PHP Mailer, compose your message, put in the "from" and "to" addresses, and click send. On the recipient's end, they'll get an email in their inbox that looks like it came from the address you typed in.



Crunchyroll did not set the DMARC flags, which means anyone can pretend to be from Crunchyroll and the email services will let the emails through

for comparison, this is how a properly set DMARC should look like:


there has been plenty of people getting hacked on Crunchyroll. this thread might explain why.
contrary to what Crunchyroll says, it's possible their accounts were not leaked due to re-using the same password on other sites.
instead, they may have been victims of phishing. Crunchyroll did not set any DMARC flags, which means anyone can make a spoofed email, and users would be none the wiser.
yes, that means users getting hacked may have been due to poor security practices from Crunchyroll itself.

if any staff is reading this, set your DMARC already.

edit: and for anyone claiming that phishing emails are easy to spot, Lifehacker staff were tricked themselves, and they are as tech-savvy as it gets (for users without a CS degree, that is).
Dragon
69712 cr points
Send Message: Send PM GB Post
Offline
Posted 3/20/18 , edited 3/20/18

namealreadytaken wrote:
edit: and for anyone claiming that phishing emails are easy to spot, Lifehacker staff were tricked themselves, and they are as tech-savvy as it gets (for users without a CS degree, that is).


To be fair, one of my degrees is in CS, so I appreciate that edit. Even I don't say they're easy to spot, just that there are things to check as a baseline to start from, because many phishing emails are stupidly simple. Among other things, look for HTML emails, img links that actually go to scripts (because they can load data or detect information while passing back simple image data in their result), and so on. There's lots to go off of.

Also good info to share, so while double posting in your own thread and here is usually discouraged, I think leaving both is a good idea.
110426 cr points
Send Message: Send PM GB Post
58 / M / U.S.A. (mid-south)
Offline
Posted 3/20/18 , edited 3/21/18

Tasrayryn wrote:

Today I got a suspicious looking email that appears to be from [email protected] but I was very skeptical of it. It had the right branding and whatnot but this is what it said (with links intentionally broken by ***):

Best practice when getting an unsolicited e-mail from any site telling you to login or otherwise access your account and providing a link to do so, is to go directly to that site in the browser by normal means (e.g., typing in the URL, or selecting it from your history or bookmarks), and see if anything is out of the ordinary.

While the URL the e-mail at least displayed was indeed legit (i.e., that is an actual password reset page on CR), that of course doesn't mean the actual link in that e-mail led there. With trickery possible with Unicode characters, even copying and pasting the displayed URL from an e-mail can no longer be consider completely risk-free.

9 cr points
Send Message: Send PM GB Post
Offline
Posted 3/20/18 , edited 3/21/18
Thanks all.

I did independently go directly to Crunchyroll without clicking the links, because I know that whilst they did look like the correct links at first glance that they may still be hiding scripts or other such things. I checked my account settings and all (I'm not a premium member and I've barely even watched anything here) and nothing seemed out of the ordinary but I requested a password reset from my account page anyway just to be safe. Still not sure if the email was legit, and it would be nice if a staff member could confirm one way or another if this looks like a real email, but in either case I probably don't need to worry about it any more.

Thank you for your responses, I greatly appreciate the help.
Der Zoodirektor
27139 cr points
Send Message: Send PM GB Post
36 / M / Germany
Offline
Posted 3/21/18 , edited 3/21/18

Tasrayryn wrote:

Thanks all.

I did independently go directly to Crunchyroll without clicking the links, because I know that whilst they did look like the correct links at first glance that they may still be hiding scripts or other such things. I checked my account settings and all (I'm not a premium member and I've barely even watched anything here) and nothing seemed out of the ordinary but I requested a password reset from my account page anyway just to be safe. Still not sure if the email was legit, and it would be nice if a staff member could confirm one way or another if this looks like a real email, but in either case I probably don't need to worry about it any more.

Thank you for your responses, I greatly appreciate the help.


We sent that email. It is fully legitimate.
9 cr points
Send Message: Send PM GB Post
Offline
Posted 3/21/18 , edited 3/22/18

shinryou wrote:

We sent that email. It is fully legitimate.


Well that's equal parts reassuring and troubling. How does Crunchyroll know that my password was shared? If there was an unsuccessful attempt to access my account from somewhere, clearly that person didn't actually have my password. If a successful login was made it would be hard to say it wasn't me based on IP because I haven't logged in enough in the history of my account to give a very thorough pattern of my location. I don't see any unusual activity in my account that would indicate that it was used by someone else. So whilst I am reassured that I'm not being targeted by a phishing attempt, I'm confused as to why you believe someone has my password. The only conclusion I can make that would explain how you'd know if someone has my password is if they stole it from you. Has there been a breach? Since this is a matter of security I kinda want to know if I actually need to be concerned about my password security or if this might have been an overestimation of a threat that was maybe just a mistake. If you can't talk openly about security, I'd appreciate anything you could say about this specific instance in a PM.

Thanks.
55883 cr points
Send Message: Send PM GB Post
62 / M / Earth
Offline
Posted 3/21/18 , edited 3/22/18

Tasrayryn wrote:
How does Crunchyroll know that my password was shared?


https://haveibeenpwned.com/pastes
Der Zoodirektor
27139 cr points
Send Message: Send PM GB Post
36 / M / Germany
Offline
Posted 3/22/18 , edited 3/22/18

Tasrayryn wrote:


Well that's equal parts reassuring and troubling. How does Crunchyroll know that my password was shared? If there was an unsuccessful attempt to access my account from somewhere, clearly that person didn't actually have my password. If a successful login was made it would be hard to say it wasn't me based on IP because I haven't logged in enough in the history of my account to give a very thorough pattern of my location. I don't see any unusual activity in my account that would indicate that it was used by someone else. So whilst I am reassured that I'm not being targeted by a phishing attempt, I'm confused as to why you believe someone has my password. The only conclusion I can make that would explain how you'd know if someone has my password is if they stole it from you. Has there been a breach? Since this is a matter of security I kinda want to know if I actually need to be concerned about my password security or if this might have been an overestimation of a threat that was maybe just a mistake. If you can't talk openly about security, I'd appreciate anything you could say about this specific instance in a PM.

Thanks.


It was being accessed from IPs from at least 25 different countries recently. We probably found it when investigating takeover cases involving premium accounts. As your account is not premium, it wasn't stolen, just accessed by many intruders. Free accounts are usually not used for anything, as these are something anyone is able to simply create.

We still send a warning email to all non-premium victims, too, as we feel that everyone should be informed of this situation.
9 cr points
Send Message: Send PM GB Post
Offline
Posted 3/22/18 , edited 3/22/18

shinryou wrote:
It was being accessed from IPs from at least 25 different countries recently. We probably found it when investigating takeover cases involving premium accounts. As your account is not premium, it wasn't stolen, just accessed by many intruders. Free accounts are usually not used for anything, as these are something anyone is able to simply create.

We still send a warning email to all non-premium victims, too, as we feel that everyone should be informed of this situation.


Ok, that's a pretty good explanation. Guess I might need to review some passwords after all. Thanks for the prompt and thorough response!
38534 cr points
Send Message: Send PM GB Post
M
Offline
Posted 3/22/18 , edited 3/23/18
Might I suggest not using dailymail.co.uk as an "information source" for any reason whatsoever if an email should be taken seriously.

I would deem the email as spam simply for that alone.
You must be logged in to post.