Forum

myamine wrote:

Damn, I should have tipped off AAN about this way back when I found out about it. It was back in August when I found out the database was freshly dumped. If I remember correctly, the database contained emails, passwords(to some accounts), ip address, last login, usernames, and birthdays. Not sure exactly as I didn't see the raw dump. I just used Leaked Source and found my free account there.

I did email them, however, they just told me they were "looking into it".

So they DID know about it. But didn't disclose the breach to users. Only asked one month back to change passwords(according to comments in this thread). How many facepalms can you count?...

Luckily I don't have a Funi account, due to being in the wrong region. This reminds me it's high time to change my CR password once again, just in case...

I can confirm it does not affect the UK service (which initially had a completely separate userbase) since I registered there with a different email address to the two I have registered on the US site (both of which were affected).

Could be worse; when MVM's store was hacked I had fraudulent payments on two different cards (and they've never acknowledged the breach). I've been using Paypal exclusively there since.

Blanchimont wrote:

myamine wrote:

Damn, I should have tipped off AAN about this way back when I found out about it. It was back in August when I found out the database was freshly dumped. If I remember correctly, the database contained emails, passwords(to some accounts), ip address, last login, usernames, and birthdays. Not sure exactly as I didn't see the raw dump. I just used Leaked Source and found my free account there.

I did email them, however, they just told me they were "looking into it".

So they DID know about it. But didn't disclose the breach to users. Only asked one month back to change passwords(according to comments in this thread). How many facepalms can you count?...

Luckily I don't have a Funi account, due to being in the wrong region. This reminds me it's high time to change my CR password once again, just in case...

I dont know if they knew before my email, but once they got my email they should have at least force reset everyones password but till this day, I've never gotten an email telling me about the breach or pw reset.

Things just got worse:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

Sites using cloudflare, like Anime News Network, Crunchyroll and millions more, have been "bleeding" PII including usernames and passwords.

Congratulations! Your passwords and usernames are not safe here because they used a terrible product to try to protect from DDoS instead of investing in good technology and superior solutions.

This is why I give out a fake birthdate to most websites. All they really need is to know that I'm over 18 anyway. I also only ever used my Paypal account to purchase from them, which I have to log in to independently, so there's little risk of them swiping my payment info.

I was prompted to change my Funi password the last time I logged in (a month or so ago). I hadn't logged into the site in several months at the time.

^__^v wrote:

Perhaps keep track of only the sites (or usernames if nothing else) one is registered, and request (or manually change) a new password every time to login in? The suggestion is not full proof, but I guess it is better than nothing. Personally I'm not a fan of password keepers/managers.

Heh, my aunt does that, but for an entirely different reason than security: She hasn't quite grasped the concept of digital passwords, so she uses the "Forgot password?" link every time she wants to log in to something, then uses the new password given out on the e-mail.

nagpo wrote:

Honestly if you're still using streaming services you deserve this

Besides the fact that no one deserves to have their data compromised, is there something even better than streaming that has since come out that we alldon't know about?

myamine wrote:

If I remember correctly, the database contained emails, passwords(to some accounts), ip address, last login, usernames, and birthdays.

Were the passwords in plain-text, or were they encrypted?

ペンネーム wrote:

Sites using cloudflare, like Anime News Network, Crunchyroll and millions more, have been "bleeding" PII including usernames and passwords.

Let's calm down a bit first, okay? A particular set of circumstances had to exist for the exposure to occur.

Quote:

The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).

In order for the memory to leak the following had to be true:

The final buffer containing data had to finish with a malformed script or img tag
The buffer had to be less than 4k in length (otherwise NGINX would crash)
The customer had to either have Email Obfuscation enabled (because it uses both the old and new parsers as we transition),
… or Automatic HTTPS Rewrites/Server Side Excludes (which use the new parser) in combination with another Cloudflare feature that uses the old parser. … and Server-Side Excludes only execute if the client IP has a poor reputation (i.e. it does not work for most visitors).

That explains why the buffer overrun resulting in a leak of memory occurred so infrequently.

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

So whether the use of Cloudflare by ANN or Crunchyroll leaked information is completely unknown, but pretty unlikely.

Funimation's behavior, on the other hand, is entirely despicable and could be, as Mark Gosdin suggests, in violation of some states' laws on consumer privacy. I use unique email addresses at every site I have an account on (one of the benefits of owning a domain) and haven't seen any fallout from this breach yet.

Its unlikely but the Cloudflare bug has been happening for a few months now and a lot of sites use it so its possible some people had their info for ANN leaked. Best to update your password here (and on any other site you use that uses Cloudflare) just to be on the safe side in the off chance that your password got leaked.

Though its worth noting that the earliest the Cloudflare bug started was in September and the article says Funi's breach happened last July so it was apparently totally unrelated and doesn't change that Funi are still total scum bags for not warning their users.

Their old motto of "You should be watching" is somewhat ironic now.

Forum - View topic
NEWS: Report: 2.5 Million Funimation Accounts Compromised in Data Breach

The ANN Aftershow - What Anime Should You Watch Part 2 (Spring 2024)

Classroom of the Elite Season 3 Anime Series Review

This Week in Games - Nintendo Indies Showcase 2024

The Best Weapons in BLUELOCK to Build The Perfect Team

INTERVIEW: Small-Town Horror Comes to Life in Masaaki Ninomiya's GANNIBAL Manga

Yuri!!! on Ice: Ice Adolescence Film Canceled

At 25:00 in Akasaka BL Drama Cast Discuss Kiss Scene, Personal Hobbies at Live Event

This Week in Anime - Are This Season's Isekai Anime Any Good?

Voice Actor Dave Underwood Dies at 57

The Spring 2024 Anime Preview Guide

Fans Say Farewell to Yokohama's Life-Size Moving Gundam

This Week in Anime - What Do You Do When Your Fav Anime Isn't Simulcast?

Ragna Crimson Manga Volume 11 Review

	Anime News Network Forum Index -> Site-related -> Talkback	All times are GMT - 5 Hours Goto page Previous 1, 2, 3, 4
Page 4 of 4

Forum - View topicNEWS: Report: 2.5 Million Funimation Accounts Compromised in Data Breach

Forum

Forum - View topic
NEWS: Report: 2.5 Million Funimation Accounts Compromised in Data Breach