Warning: Crunchyroll Infected By Malware

[Teapot]

Heads up: Please do not visit Crunchyroll’s main website today – it has been hacked and infected with a virus. You should be okay to use the apps for now, but they appear to have been locked down as a precaution.

Currently, if you browse to any version of Crunchyroll on the web, the site will automatically try to download “CrunchyViewer.exe,’ and offer a “Try our new desktop application !” message. Both of these lead to malware – please do not open any files downloaded from Crunchyroll, and if you download it by mistake, immediately delete it and run a full virus scan on your computer.

There’s been no official statement from Crunchyroll in English yet, only a tweet in German, so we don’t know the extent of the damage – there’s no immediate evidence either way as to whether personal data has been stolen, but we’ll update as soon as we know more.

If you haven’t already, please take the time to review your passwords – if your Crunchyroll account shares a password with any other account, or is in any way similar, change them immediately to fully unique passwords.

Remember:

1. Do not ever re-use passwords between sites, including variations. If you had a single password and an attacker got it, it would give them access to every identity and account you have online. Even changing parts of your password per site won’t stop a committed attacker, so passwords need to be entirely unique.
2. To make the above practical, look into using a password manager such as LastPass (recommended), 1Password, KeePass, or (if you’re exclusively an Apple user) the built-in iCloud Keychain. Each of these allows you to generate a truly random password for every site you visit, and will automatically fill them in for you when visiting sites. Using a password manager makes your life much easier, and makes your accounts much more secure – and they’re generally cheap or free, and very easy to use.
3. Be particularly paranoid about your e-mail address’s security – anyone who gets into your e-mail address can get access to your other accounts too. Use a strong password, and enable two-factor authentication if your provider allows it – most major e-mail providers do. Two-factor authentication can be a bit of a pain, but it’s well worth it for the extra security it provides.
4. Consider plugging your e-mail into Have I Been Pwned to see if you’ve been affected by any of the innumerable data breaches over the last few years. If you have, change all your passwords now – perhaps it’s a good time to get a password manager?

Continue reading...

 

[Just Passing Through]

If it's a domain hijack, the way that it seems right now (the way ANN was hijacked a few weeks ago, then personal data will be safe, as it's just the domain, not the site that got hacked.

It looks that way, as Crunchyroll (US) are still tweeting as new shows go live, indicating they can't see the domain's been hijacked just yet, and they're only seeing their own site.

 

[Teapot]

If it's a domain hijack, the way that it seems right now (the way ANN was hijacked a few weeks ago, then personal data will be safe, as it's just the domain, not the site that got hacked.

I agree – it definitely looks that way. However, it'd be irresponsible for me to report that user data is fine until we've 100% confirmed that it is.

 

[Lambadelta]

It looks that way, as Crunchyroll (US) are still tweeting as new shows go live, indicating they can't see the domain's been hijacked just yet, and they're only seeing their own site.

Isn't episode announcements a bot. I doubt anyone in US is awake.

 

[Shadow Cat]

How long until the whole /worry about passwords/ thing doesn't need to be a thing anymore. -_-

I'm amazed Hash and Salt isn't a standard way of storing passwords now. Wonder how CR is stored

 

[Shadow Cat]

Crunchyroll.de on Twitter

Update: We have NOT been hacked. At the moment, it appears to be DNS hijacking.

 

[Teapot]

I've updated the article with the new info from Crunchyroll's Twitter.

 

[IdiomaticLynx]

How long until the whole /worry about passwords/ thing doesn't need to be a thing anymore. -_-

I'm amazed Hash and Salt isn't a standard way of storing passwords now. Wonder how CR is stored

As long as we use password for authentication, it will always be a thing. Even if the passwords are stored hashed with a salt, it's advisable to change your password after any form of hack/attack.

Also, I would really advise not visiting Crunchyroll (or using any of their apps) until its fixed, even if you think you know what you're doing. While the 'attack' seems to be focussed on spreading malware, it might also steal your session cookies when you visit. The session management of Crunchyroll is not particularly great (pretty terrible from what I know) so session hijacking can easily be done.

 

[Rena Ryuugu]

Thanks for the heads up I'm going to wait till Crunchyroll sorts everything out before using the PS4 app.

 

[ayase]

How long until the whole /worry about passwords/ thing doesn't need to be a thing anymore. -_-

Seriously, something needs to be done about passwords. These days you'd need to have literally hundreds if you used a different one for everything. And then you'd have to remember them all, all eight characters including upper-case, numbers and special characters as websites specify... I ain't got time or memory space to devote to that, my browser remembers them all and if it screws up I just reset it instead of having to remember anything so useless.

Why we can't just have a fingerprint reader attached to our PCs now that checks and stores authenticity locally so websites don't actually need to store and can't lose your passwords to hackers I don't know. Presumably that's how phones do it - I can use my fingerprint enabled phone to buy things off my damn credit card and I'm pretty sure that's not actually sending my fingerprint to the Co-op, so if it's good enough for banks I don't see why it shouldn't be good enough for everyone else. Hell, if it meant I never had to use a password again I'd be fine with my computer taking a blood sample every time I log on.

 

[Just Passing Through]

Crunchyroll on Twitter

Crunchyroll, tweeting that they are back. You guys can be the guinea pigs. I'll wait a couple of days.

Edit, might be worth restarting your PC/laptops, doing an ipconfig /flushdns before visiting.

 

[Gemsy-chan]

I won’t be able to go on CR until Sunday night so hopefully once others have tested it’ll be okay.

 

[qaiz]

Hell, if it meant I never had to use a password again I'd be fine with my computer taking a blood sample every time I log on.

That can be arranged.

 

[Just Passing Through]

So what did everyone watch instead while CR was down. I stuck a Blu-ray on and made it through three episodes of Panty & Stocking, a show I really have to be in the mood for.

 

[Shadow Cat]

So what did everyone watch instead while CR was down. I stuck a Blu-ray on and made it through three episodes of Panty & Stocking, a show I really have to be in the mood for.

Slept, Shopping and watched Anime on HiDive

Now its back I watched Kings Game (What was pretty decent)

 

[Ian Wolf]

Just to clarify, it is safe to go back on Crunchyroll now isn't it?

 

[Teapot]

Just to clarify, it is safe to go back on Crunchyroll now isn't it?

Yes, I watched a few episodes of BlendS earlier (logged out) and it was fine

 

[D1tchd1gger]

Just to clarify, it is safe to go back on Crunchyroll now isn't it?

All is good.

Crunchyroll on Twitter

 

[Ian Wolf]

@Teapot @D1tchd1gger Thanks very much.

 

[NormanicGrav]

So what did everyone watch instead while CR was down. I stuck a Blu-ray on and made it through three episodes of Panty & Stocking, a show I really have to be in the mood for.

I watched 5 episodes of Full Metal Panic! The Second Raid and 11 episodes of The Tatami Galaxy.