Warning: Crunchyroll Infected By Malware

T

Teapot

Guest
Heads up: Please do not visit Crunchyroll’s main website today – it has been hacked and infected with a virus. You should be okay to use the apps for now, but they appear to have been locked down as a precaution.

Currently, if you browse to any version of Crunchyroll on the web, the site will automatically try to download “CrunchyViewer.exe,’ and offer a “Try our new desktop application !” message. Both of these lead to malware – please do not open any files downloaded from Crunchyroll, and if you download it by mistake, immediately delete it and run a full virus scan on your computer.

Screen-Shot-2017-11-04-at-11.43.35-am.png


There’s been no official statement from Crunchyroll in English yet, only a tweet in German, so we don’t know the extent of the damage – there’s no immediate evidence either way as to whether personal data has been stolen, but we’ll update as soon as we know more.

If you haven’t already, please take the time to review your passwords – if your Crunchyroll account shares a password with any other account, or is in any way similar, change them immediately to fully unique passwords.

Remember:

  1. Do not ever re-use passwords between sites, including variations. If you had a single password and an attacker got it, it would give them access to every identity and account you have online. Even changing parts of your password per site won’t stop a committed attacker, so passwords need to be entirely unique.
  2. To make the above practical, look into using a password manager such as LastPass (recommended), 1Password, KeePass, or (if you’re exclusively an Apple user) the built-in iCloud Keychain. Each of these allows you to generate a truly random password for every site you visit, and will automatically fill them in for you when visiting sites. Using a password manager makes your life much easier, and makes your accounts much more secure – and they’re generally cheap or free, and very easy to use.
  3. Be particularly paranoid about your e-mail address’s security – anyone who gets into your e-mail address can get access to your other accounts too. Use a strong password, and enable two-factor authentication if your provider allows it – most major e-mail providers do. Two-factor authentication can be a bit of a pain, but it’s well worth it for the extra security it provides.
  4. Consider plugging your e-mail into Have I Been Pwned to see if you’ve been affected by any of the innumerable data breaches over the last few years. If you have, change all your passwords now – perhaps it’s a good time to get a password manager?

Continue reading...
 
If it's a domain hijack, the way that it seems right now (the way ANN was hijacked a few weeks ago, then personal data will be safe, as it's just the domain, not the site that got hacked.

It looks that way, as Crunchyroll (US) are still tweeting as new shows go live, indicating they can't see the domain's been hijacked just yet, and they're only seeing their own site.
 
If it's a domain hijack, the way that it seems right now (the way ANN was hijacked a few weeks ago, then personal data will be safe, as it's just the domain, not the site that got hacked.
I agree – it definitely looks that way. However, it'd be irresponsible for me to report that user data is fine until we've 100% confirmed that it is. :)
 
How long until the whole /worry about passwords/ thing doesn't need to be a thing anymore. -_-

I'm amazed Hash and Salt isn't a standard way of storing passwords now. Wonder how CR is stored
 
How long until the whole /worry about passwords/ thing doesn't need to be a thing anymore. -_-

I'm amazed Hash and Salt isn't a standard way of storing passwords now. Wonder how CR is stored
As long as we use password for authentication, it will always be a thing. Even if the passwords are stored hashed with a salt, it's advisable to change your password after any form of hack/attack.

Also, I would really advise not visiting Crunchyroll (or using any of their apps) until its fixed, even if you think you know what you're doing. While the 'attack' seems to be focussed on spreading malware, it might also steal your session cookies when you visit. The session management of Crunchyroll is not particularly great (pretty terrible from what I know) so session hijacking can easily be done.
 
How long until the whole /worry about passwords/ thing doesn't need to be a thing anymore. -_-
Seriously, something needs to be done about passwords. These days you'd need to have literally hundreds if you used a different one for everything. And then you'd have to remember them all, all eight characters including upper-case, numbers and special characters as websites specify... I ain't got time or memory space to devote to that, my browser remembers them all and if it screws up I just reset it instead of having to remember anything so useless.

Why we can't just have a fingerprint reader attached to our PCs now that checks and stores authenticity locally so websites don't actually need to store and can't lose your passwords to hackers I don't know. Presumably that's how phones do it - I can use my fingerprint enabled phone to buy things off my damn credit card and I'm pretty sure that's not actually sending my fingerprint to the Co-op, so if it's good enough for banks I don't see why it shouldn't be good enough for everyone else. Hell, if it meant I never had to use a password again I'd be fine with my computer taking a blood sample every time I log on.
 
Back
Top