| We have noticed an increase in brute force hacking attempts on user accounts recently. While we have increased the strength of our login system, there are limits to what we can do to combat this when users are not taking basic account security precautions themselves. Thus, we are hoping to remind everyone of some things you should be doing (both on and off MAL) to help prevent your accounts from being compromised. If you have a simple password, please update it immediately. Within the last two years, MAL has considerably increased its password requirements in attempt to help you keep your account safe. However, if you have not changed your password since 2015 or before, you may still be using a very simple password. Please update this immediately. All passwords should consist of upper and lower case letters, numbers, and special characters for maximum security. Change your passwords frequently. Even a complex password can be brute forced: it simply requires more time than a simple one. By keeping your passwords complex and changing them often, you can greatly reduce the chances of having your account stolen from you. Do not use the same passwords on many accounts across the internet. Doing so increases your risk of losing access to all of your accounts, including email, Amazon, Paypal, Facebook, blogs, etc. By having them all the same, a potential hacker only needs to compromise one site to have all of your personal information. Make sure your email address on your account is up-to-date. This ensures you can receive password resets if you forget your complex password, and that we can contact you if need be. You can change your email address here: http://myanimelist.net/editprofile.php?go=myoptions Please note that the following domains often bounce MAL's emails: http://myanimelist.net/forum/?topicid=252840 Do not enter your personal details into any form on the internet that you are not 100% aware of. In the last year or two, we've seen a dramatic increase in the rise of phishing sites, pretending to be MAL. Do not enter your login information to any site before checking your address bar to ensure you are on the correct website. Consider backing-up your list from time to time. You can use our list export feature any time from this link: http://myanimelist.net/panel.php?go=export or the "file" icon on your Anime/Manga list navigation. We will continue to do everything we can to ensure your accounts are kept safe. However, we need you to be committed to performing basic account security precautions as well; otherwise, everything we do will only be partially effective. And for those who already are aware of, and practising, the above—have yourself a cookie ;) |
KinetaMar 29, 2018 3:59 AM
| Not sure but from what I know MAL is still not using OAuth2. I hope I am wrong. Also another way to prevent this is using a system like gmail where it send a email to you if the IP of login-try is different. Or maybe a system like steam but that would be overkill. |
| Are passwords still sent in plaintext?? What is point of changing passwords if they can spoof it? |
 |
| maybe its time for a multi-factor authentication login? like steams 2 factor authentication but ye just make this optional since not everyone likes that kind of login |
| All MAL really needs is a timer to retry the password, 10 seconds should be good for every try and have an email sent after like 5 tries. MAL doesn't really have anything important to have really heavy login security and the only thing you should worry about is not giving crackers the chance to test a user's password so they could use it on another website. Obviously, protecting the passwords themselves should also be done but that's a given. |
 |
| @Petrosino Well tell that to Apache server MAL is using. I am just lazy to open my VM Manjaro and find which apache version MAL is using via Wireshark then list all the vulnerabilities of that version. |
| Thanks for the reminder. Normally, how much time it's recommended to keep the same password without changing it? Even if it's super strong. |
 |
| @Ulquiorra Until someone hacks the DB really. Brute force is the worst way to steal an account when it comes to long and strong passwords. Here some graphs: |
| Hacking is inevitable although it is a pain to change passwords ill do it. |
"When you made this thread, I cried and screamed" -Swagernator 2017 |
| @Petrosino Well yes but my point is a dev should try his/her best to secure the site. Why are we still using Apache? Why are we still using BBCode? (Post date of article: 2009-09-18 01:54:17. Fixed 6 days ago) Why are we not using OAuth2? All I can praise is they are using lodash and latest versions of it has no vulnerabilities. |
too late for me lol well they will not find anything valuable/profitable on a poor person like me living in a poor country anyway |
If you have a simple password, please update it immediately. Within the last two years, MAL has considerably increased its password requirements in attempt to help you keep your account safe. However, if you have not changed your password since 2015 or before, you may still be using a very simple password. Please update this immediately. All passwords should consist of upper and lower case letters, numbers, and special characters for maximum security. Dear Hacker-sama, If you are even thinking of hacking my account, please spare my hentai list. Thank you and have a good day! Sincerely yours, _Ako_ >currently thinking of adding emojis in my password |
| what about putting up a recaptcha as hotfix. Might break 3rd party client tho |
 |
| Cool. Immidiately changed my password to a very strong one. |
| Tom's Hardware graphics veteran++ (Legacy) i7 6700K@4.0 GHz, ASUS Z170 PRO GAMING, RTX 2080, G. Skill RipJaws V 3200MHz 16GB, Noctua NH-D15, CorsairRM 850x, Win10x64, 1920x1080 MyAnimeList! |
| wow, I have all of these surprised I didn't get hacked... |
  mal's CYBER raccoon CYBER boop ! from the distant year of 2026 theCYBER police are after me ! |
Kineta said: Consider backing-up your list from time to time. You can use our list export feature any time from this link: http://myanimelist.net/panel.php?go=export or the "file" icon on your Anime/Manga list navigation. Relevant question: Is there a (user)way to import the document? I´ve read a post, stating it could be done with the help of a mod. Well, if there is an way, I got some nifty ideas. I did go over some apps using the MAL-API, but so far I did not encounter anything that would allow me to import a complete document. |
 |
dragonshade said: what about putting up a recaptcha as hotfix. Might break 3rd party client tho BUUUURN! My anti-captcha only solves ~20%, so no, don´t. The option for a 2-step-verification however... Either way would put stress on the team and server, for little to no gain. |
|
| @Dustbreath MAL sadly still using XML so by sending the file they can put it to DB for you. You might do with API but you have to code from 0. |
| @sasalx Excel is love, Excel is live! I did go thru the database-file of said apps, but nothing was up for the task in mind. Will dive into the API documentation, but coding from scratch....nmhhhh, maybe with my next reincarnation... |
|
| what actual use could there be in trying to hack accounts on an anime website where people keep track of episodes/chapters... |
 |
| As some have suggested, optional 2 factor auth would be nice for the site for those of us who prefer extra security. There's only so much that making our passwords more complex can do. Perhaps sending a notification if there have been multiple failed login attempts in a short span of time or timing out attempts temporarily after a number of tries could be other solutions. |
hazekashi said: They're just as easy to crack, but impossible to remember. Every good hacking tool does a dictionary attack first, being creativ or having a long password does help. and NO computer can brute force a password that's long We will see what cloud-computing / bot-net can do in a not so distant future. Every major nation is looking into brute-forcing military standards. Some might even accomplished that. |
|
| Ah, it is about that time of year again isn't it? For anyone new, it was pretty common for MAL to get hacked by a certain individual around this time, or I think it was around this time. Took several years but MAL finally did something about it. |
Paul said: Ah, it is about that time of year again isn't it? SSJMaster is coming back? |
The only one I've ever seen care to repeatedly hack MAL on a yearly basis so I would assume it's him. |
Redlotusx said: Paul said: The only one I've ever seen care to repeatedly hack MAL on a yearly basis so I would assume it's him. Does SSJMaster do this as an Halloween prank? Does he do this every years? Man what a way to start the event :( MAL has been able to stop his attacks for the past couple years. Not exactly sure if hacking dozens of MAL accounts and using their accounts to post uncensored gore and mutilation counts as a prank. |
| Might admin consider increasing the password limit from 50 characters in lieu of these bruteforce attacks? |
| Definitely don't use the same password across multiple sites people :P Databases get hacked all the time, so a lot of your information is just out there on the internet. I've been hacked in a game before simply because I used the same password on another game. That other game had their database hacked, so it was just a matter of time until someone hacked me. Be safe peeps :3 |
| So, I guess this is why the password strength is what it is? I remember when I signed up it took me a minute making my password since I couldn't use my typical run of the mill password due to the strengthened requirements compared to the typical site. I practice all of the above though aside from "change your passwords frequently". I've only gotten hacked twice, both times on Steam. I was a kid and I had a pretty simple and plain password and Steam Guard wasn't a thing yet =/ Hoorah for Two-Factor Authentication. I use a unique/strong password on each of my most important accounts now. Although they're all kinda spinoffs of each other. Steam is my strongest one out of the bunch, since that's kinda my #1. Google was #2 but I kept forgetting the password and they keep a log of like every password you use for x amount of time, so I kept running into "You already used this password, Please make something new" >_> |
 “Don’t just mindlessly judge people as you please.” – Rin Okumura “Your past shouldn’t stop you from achieving your goals and dreams.” – Rin Okumura |
| Fishing with dem phishing |
| Maybe add a feature like two authentication like in FB to keep our account safe. Maybe add another email as a backup rather than one. |
 |
| not sure why people would try to hack my MAL account but w/e, gonna change my password just for safety |
WorthinessOct 27, 2017 9:00 AM
| I don't even know my password hahaha I login through Facebook... Probably I'm in even more danger lawl |
| "I died long ago. This is just a bad dream" |
| tbh if someone manages to bruteforce my password, they deserve the account. There's nothing on here except my anime/manga list. Like what the heck do they think they're going to do with my account? There's no incentive to even bother hacking into accounts on this site, it's nonsensical. What are you gonna do hacker-chan, edit/delete people's lists? Not a very good use of your time... |
| @EveryOneStillAskingWhyMALPasswordsAreValuable because you lazy bastards use the same password everywhere. Or similar, one key phrase mixed with some variation of your SSN and bam every password you've ever had for anything. (Also, if you're an American, and have not done so, please go put a freeze on your credit right now.) |
 |
More topics from this board
» [Challenge] You Should Read This Manga 2024 ( 1 2 3 4 5 )Kineta - Feb 23 |
218 |
by httplatte
»»
Yesterday, 4:04 PM |
|
» Moderators Wanted! Accepting applications for all positionsKineta - Apr 26 |
0 |
by Kineta
»»
Apr 26, 6:46 PM |
|
» Try MAL's New Mobile Site! ( 1 2 3 4 5 ... Last Page )Xinil - Feb 15, 2015 |
423 |
by RED-clover12
»»
Apr 24, 10:19 AM |
|
» Planned 5hr Maintenance, Thursday April 25 @ 1am-6am PTKineta - Apr 22 |
0 |
by Kineta
»»
Apr 22, 8:10 PM |
|
» New Site Update: Peak Anime 🗻 ( 1 2 3 4 5 )Kineta - Mar 31 |
213 |
by Lancelot73
»»
Apr 21, 4:28 AM |