| We have been waiting for our owners, DeNA, to make a statement to the community. Unfortunately, Xinil and I feel it is not possible to wait any longer. At approximately 4:00 AM PDT on May 24th, two things happened:
Why did this happen? The red box on the website said that a "vulnerability in the API" is being worked on. If you feel the red box was not enough information and the community deserves more information, I encourage you to contact DeNA's Customer Support. Is my account safe? The red box on the website said "Out of an abundance of caution" and "***By entering your MAL username and/or password into services other than the official MyAnimeList website or applications provided by MAL, you are running the risk that the information could be used by the developers of those services. When using any third party service, always consider that you provide your information at your own risk." This suggests that there has not been any data leaked or hacked. It also suggests that as long as you have not entered your password into any 3rd party applications that you do not trust, your information should be safe. If you still feel your account is unsafe, I encourage you to contact DeNA's Customer Support. Is my payment information safe? Your payment information is definitely safe. This data is not stored on MAL's servers. Your credit card information is stored on Stripe, a payment processing company that is PCI DSS compliant. Even if MAL were to have a legitimate security breach (which this was not or DeNA would have had to post the potential ramifications to user data, to the best of my knowledge), your credit card number would still be safe as its stored on Stripe only. Why did my app stop working? When will it work again? The red box says the API - what the developers of these applications use to communicate with MAL - is "temporarily disabled". This means all unofficial applications cannot work until the API is enabled again. For this reason, please do not send any bug reports in mobile and desktop applications not explicitly developed by MyAnimeList. The developers of these applications are not responsible for the apps not working and are not able to fix it until DeNA enables the API again. Both the developers and the moderation team do not know when they will start working again. If you feel the lack of communication about the API is problematic and are unhappy about not being able to use your apps, I encourage you to contact DeNA's Customer Support. I cannot recover my MyAnimeList because I forgot/lost my email. Help! I just received the "Important: Please reset your password" email, but I already reset my password? Why don't the moderators know what's going on? How do the moderators feel about this situation? Please give your 3rd party devs some cookies and love - they really need it right now. And please be kind to the moderation staff - we're feeling as upset as you are. |
KinetaMay 27, 2018 3:48 AM
| Hello everyone. I want to apologize for how terribly rushed and opaque these changes have been. Forcing a site-wide password reset is extremely time consuming for the users (as well as our staff) and springing it on the community without any explained security breach is a bit odd. As you also know, we have immediately terminated the MAL API service without providing a sufficient replacement. I’m deeply sorry for this action. Our developer community have been nothing but amazing over the near 10 years the API was available, and I had high hopes we’d be able to put out a completely rebuilt version before taking down the current service. Rest assured, we will absolutely provide a new API everyone can use, but I can’t speak to a release time yet (though it is most definitely in a beta phase.) It is my personal goal to always put the community first and as the number one stakeholder in all projects we undertake. In that regard, I’m very disappointed we’ve failed to provide a great user experience. We will absolutely review the steps that were taken that led us to today and I am determined to improve our communication and community relations with DeNA and upper MAL management. I hope you will continue to put your trust in us and find our overall service rewarding and useful. Thank you for taking the time to read our messages. Lastly, if you need help accessing your account, please reach out to our customer service department or in cases were you cannot wait, me. The moderators are not able to provide account support. |
XinilMay 26, 2018 1:35 PM
| i was kinda scared when i tried to log in and a notice popped up. phew. anyways changing all my info just in case |
 |
| I wonder why all websites don't have 2-factor authentication, is it that expensive to implement? Don't Amazon & Microsoft offer easy to use API for that? |
| I thought i was crazy for a second but aw i was just getting into the apps too |
| Finaly some excuses, I waited 2 days for it. You sure worked on your sweet words. |
    |
Xinil said: As you also know, we have immediately terminated the MAL API service without providing a sufficient replacement. I’m deeply sorry for this action. Our developer community have been nothing but amazing over the near 10 years the API was available, and I had high hopes we’d be able to put out a completely rebuilt version before taking down the current service. Rest assured, we will absolutely provide a new API everyone can use, but I can’t speak to a release time yet (though it is most definitely in a beta phase.) You're talking like the API won't just need a security fix; but that you'll be releasing a new API, someday, not soon. I feel really lazy having to login (it always forgets me) and navigate the website when I need to update MAL every time I watch an episode... At least DeNA should explain how the API was compromised, and what it has to do with our passwords. |
smoledman said: I wonder why all websites don't have 2-factor authentication, is it that expensive to implement? Don't Amazon & Microsoft offer easy to use API for that? We're looking in to implementing 2FA as soon as possible. |
| just when I send a customer support message, I find this. Hopefully the API gets updated soon. |
smoledman said: I wonder why all websites don't have 2-factor authentication, is it that expensive to implement? Don't Amazon & Microsoft offer easy to use API for that? Don't confuse multi-factor (often called two factor) and federated login. The "Login with Facebook/Twitter/Microsoft/Google" things are Federated login. Even if they are possible to use at no cost, they can be complex and time-consuming to retrofit onto a website, especially one with code as old as MAL. That is an internal development cost (and monetary cost) to develop. MAL actually supports federated login with Facebook, Twitter, or Google. Multi-factor (two factor/2FA) is a little easier since it can be self-contained. The most common method is TOTP, which you may be most familiar with via Google Authenticator. Other popular methods include U2F, Yubikey OTP, Authy, etc. This is probably the easier method to retrofit onto the site, and there is a lot of code support for it. MAL does not currently support multi-factor login. |
| Developer, sysadmin, and anime addict. Have an Android smartphone? Try Atarashii! |
| Meh .. always export your list people just in case 2014 headaches happen |
 |
motoko said: smoledman said: I wonder why all websites don't have 2-factor authentication, is it that expensive to implement? Don't Amazon & Microsoft offer easy to use API for that? Don't confuse multi-factor (often called two factor) and federated login. The "Login with Facebook/Twitter/Microsoft/Google" things are Federated login. Even if they are possible to use at no cost, they can be complex and time-consuming to retrofit onto a website, especially one with code as old as MAL. That is an internal development cost (and monetary cost) to develop. MAL actually supports federated login with Facebook, Twitter, or Google. Multi-factor (two factor/2FA) is a little easier since it can be self-contained. The most common method is TOTP, which you may be most familiar with via Google Authenticator. Other popular methods include U2F, Yubikey OTP, Authy, etc. This is probably the easier method to retrofit onto the site, and there is a lot of code support for it. MAL does not currently support multi-factor login. 2FA native to MAL account is better because someone might not turn 2FA on their Google/Facebook. |
smoledman said: 2FA native to MAL account is better because someone might not turn 2FA on their Google/Facebook. That type of person is unlikely to enable it for MAL anyway, but I do agree that having an option for multi-factor for direct accounts should be standard for every site at this point. (preferably via U2F and TOTP) Anyway, we should get back on topic. |
| Developer, sysadmin, and anime addict. Have an Android smartphone? Try Atarashii! |
rafi160 said: Meh .. always export your list people just in case 2014 headaches happen Done, just in case I have to look for other alternatives after all these years. EDIT: I had to use a search engine to find the export link. Here it is: http://myanimelist.net/panel.php?go=export |
EmuAGRMay 26, 2018 2:14 PM
| @Kineta Well at least we have a thread now. So a question. Will they ever give an update about API to staff? SylakentH said: Thanks @Xinil and @Kineta (and of course all moderators) for keeping us informed. It just straight out sucks to be left out in the dark, it feels like DeNA doesn't care about the community Well the problem is there is no one to represent Dena in this case. Staff is always being the bridge over Dena and users. You cant run a site like that. You should talk with your community. Saddening really. |
sasalxMay 26, 2018 2:20 PM
SylakentH said: Thanks @Xinil and @Kineta (and of course all moderators) for keeping us informed. It just straight out sucks to be left out in the dark, it feels like DeNA doesn't care about the community Yeah I feel the same way, my friend. We've had to piece together information over the last few days and it had a really negative impact on the community. The announcement is greatly appreciated. It's just a dark time for now that will pass, seen this kinda thing before. Xinil said: Our developer community have been nothing but amazing over the near 10 years the API was available, and I had high hopes we’d be able to put out a completely rebuilt version before taking down the current service. Rest assured, we will absolutely provide a new API everyone can use, but I can’t speak to a release time yet (though it is most definitely in a beta phase.) The fact that Xinil is dedicated to API and MAL community gives me a lot of hope. I'm quite proud of how far we all came and his interest! Kineta said: Please give your 3rd party devs some cookies and love - they really need it right now. And please be kind to the moderation staff - we're feeling as upset as you are. ^ THIS |
| Thanks for keeping us in the loop, keep up the good work. |
| Honestly the staff at Myanimelist are amazing. The amount y'all care about the community and the site really shows with all the work and enthusiasm y'all put in, and I think that while the community is certainly a key part of what makes MAL what it is, we definitely wouldn't have ended up with a site this amazing if it weren't for the incredible and passionate team that runs everything. I hope DeNA can recognize the importance of MAL to many of its users and treat it a bit better, but I guess a company that isn't directly involved in the same way the staff is won't develop the intimacy with MAL's user base in the same way. Anyways I'm rambling but I really just wanted to say thanks to all the staff for doing such an amazing job and dealing with all the emails and pm's that people who haven't read this announcement are probably sending. MAL is an incredible community, and it is in no small part thanks to you all that this is the case! |
 |
Samfrog said: Honestly the staff at Myanimelist are amazing. The amount y'all care about the community and the site really shows with all the work and enthusiasm y'all put in, and I think that while the community is certainly a key part of what makes MAL what it is, we definitely wouldn't have ended up with a site this amazing if it weren't for the incredible and passionate team that runs everything. Yeah, thank you, Staff. In particular @Kineta @Tyrel @Luna and @Alfyan have always been helpful to me. I really appreciate their dedication and patience. |
| Really glad to see this announcement post, it's something I was expecting after I saw the initial notice. There definitely needs to be a very clear and obvious official presence during times like this and the lack of announcement exacerbated people's alarm I think. And on the same topic, in my personal opinion, the hard reset of passwords was too harsh. If anything, it should have been a soft reset where users could login with their current password and get a prompt to change passwords (without the requirement of email). The only reason I can see for using hard reset and email is due to a breach of security, but it has been stated there is none. Hopefully this sort of thing won't happen again in the future. Hope everyone's accounts get sorted out and staff don't get totally drowned in work, keep up the fantastic efforts MAL staff. :) |
| there it is the needed explanation as they say better late than never |
sasalx said: Well the problem is there is no one to represent Dena in this case. Staff is always being the bridge over Dena and users. You cant run a site like that. You should talk with your community. Saddening really. I see. It's kinda stupid that there's no figurehead that we could appeal to, or at least some kind of social media presence. There ought to be another way to approach people from DeNA except of writing tickets. It's putting unecessary stress on the MAL staff/moderators and 3rd party devs Shishio-kun said: Yeah I feel the same way, my friend. We've had to piece together information over the last few days and it had a really negative impact on the community. The announcement is greatly appreciated. It's just a dark time for now that will pass, seen this kinda thing before. Yeah, read lots of hate for the current situation and not just here in the forums... People start losing faith so quickly Mod Edit: Merged duplicated posts; please use the edit button. |
NexuMay 26, 2018 6:06 PM
| Yeah you really needed to make an announcement. I've heard many people say they are leaving MAL and stuff. I can't lie that it does feel like were in a Dark Age on MAL right now without the API. |
  |
| Thank you for this post. At this point I thought there wouldn't be any official post about this issue. With the lack of communication and the rumors I've seen I was afraid the MAL staff might have wanted to intentionally take down the API to favor the official app. But I see that's not the case, I guess it's probably an issue of DeNA being a bit out of touch with the community. Let's hope all this is solved eventually and the new API is released soon! Is it possible that this has something to do with GDPR? Most websites have changed their policies this week to comply with it, maybe the API didn't comply so they just disabled it? Or maybe it's just a coincidence that this happened on the same dates. (It's the first time I post in the forums but I'm a regular user of MAL and apps/websites that used its API so I was concerned enough about this to post) |
Xinil said: smoledman said: I wonder why all websites don't have 2-factor authentication, is it that expensive to implement? Don't Amazon & Microsoft offer easy to use API for that? We're looking in to implementing 2FA as soon as possible. please make it optional. I don't want to receive an sms everytime I want to login. |
 |
| Idk about others, but I have a problem with my list CSS. My previous one wasn't showing the image covers, and my currret one has a problem with the image quality |
 |
Orion_Gospel said: Idk about others, but I have a problem with my list CSS. My previous one wasn't showing the image covers, and my currret one has a problem with the image quality Yes, it's because high quality preview pic images were provided by a cover generator (third party ap). So when the API was turned off the cover generators were made dysfunctional as well and many people aren't getting HD covers (preview pics) anymore. We redesigned that layout you're using now so that when the HD covers failed for any reason, the low quality ones would show up so you wouldn't completely lose preview pics. btw there isn't anything practical I know of which you can do now for high quality preview pics atm, but I will provide updates in this thread: https://myanimelist.net/forum/?topicid=1731403 That thread is also where I provided info about it after the incident mentioned in the OP happened. I been updating it daily to keep everyone informed. My recommendations for anyone missing preview pics on their list are: * wait and see if your preview pics come back on their own over the next few weeks * use a modern layout with low res preview pics temporarily (as you are now, links are provided in the thread I linked). Some, like yours, might update to HD covers on their own when the issue is resolved. * regularly check that update thread for info and ways to restore preview pics as they happen. I also will mass message the club members with updates when I can, so you can get your layout looking great again! |
Shishio-kunMay 26, 2018 3:49 PM
| ah yes the shitstorm upgraded to cat.4. #pray4thirdpartydevs #RIPapps Guess time to uninstall taiga... 😭 |
 |
| What I'm most upset about is that I had to wait for the mail for roughly an hour. Also changing to a better/new password is like a bandaid on a broken arm. |
| 馬鹿げた倫理 全部ガラクタで |
Our developer community have been nothing but amazing over the near 10 years the API was available Now that's weird. In college - Computer Science, that is - I recall being reprimanded instead of "shit happens you did your best", every single time I forgot even to free a single pointer.I didn't say a word about those problems and already restored my account and password, but I'm not listening FI "API vulns are just to be" - because they're not. They're failures, and someone is, or is likely to be, responsible for it. As Microsoft is for that crap they call an OS, and Intel is for Meltdown and Spectre. FreeBSD developers of several branches do their part for free. Still, if a problem arise (and they do from time to time) people complain. Because they're dissatisfied and to voice a complaint is not wrong, provided you do it with politeness of course. I don't want to have a say in this mess per se, but I'd rather not to listen that "shit happens" and "API had a vuln". That's not an earthquake or a hurricane. That's something a human brain made and is (should be) responsible for. Also, I'd like to see a more understanding stance from staff when it comes to negative feedback. "Understanding" is to be exercised in bad times precisely. There is no need for understanding when everything is OK therefore most feedback are of congratulations and compliments. |
| There are 10 types of people in this world: those who understand binary and those who don't Real men don't use Task Manager: they sudo kill -9 Computers are like air-conditioning: pretty much useless if you open Windows "I cannot refute you, Socrates." - said Agathon Symposium - Plato"Rather, dear Agathon, what you can't refute is the truth; for Socrates is easily refuted." |
| @Xinil, What was the reason for de-listing the official android mal app as that was working. For users who currently have it installed there was no issues with it but I guess it was using the new API. Will that be reinstated or will it be later on when new API releases? |
| god speed, mal. may the "i forgot my email" and "third party app" threads in support die off peacefully |
 |
| Thanks for this announcement. This was definitely needed to clear some of the air with the events going on since Thursday. I am determined to improve our communication and community relations with DeNA and upper MAL management. I hope so. DeNA has been pretty poor when it comes to communication and it's not the first time they screwed up. I remember a recent event that they failed to communicate in time. As someone else mentioned in this thread, I feel like they are really out of touch with this community. |
 |
The red box on the website said The red box on the website said The red box says ... "The Red Box" - The Animation Rating: 0 Unwatchable |
 |
| New API? Which will not be there in, knowing how MAL/DeNa works, at least about half a year? Why I feel like it's a soft approach to get rid of all of this "pesky" 3rd-party applications/sites to get back their oh so precious clicks/visits/views?.. |
 There is such thing as shit taste. Only idiots think that every "work of art" should have the same value.  Persona anime are good. Deal with it. |
TentacleMaster said: @Xinil, What was the reason for de-listing the official android mal app as that was working. For users who currently have it installed there was no issues with it but I guess it was using the new API. Will that be reinstated or will it be later on when new API releases? I guess even the official app went through the same API as 3rd party apps so it must be broken too. |
AJ said: i was kinda scared when i tried to log in and a notice popped up. phew. anyways changing all my info just in case I was scared too. I'm glad that there was no password leak or that MAL was not hacked. I was worried it happened because of this message appearing all of a sudden, telling to reset password. By the way, does it mean I can stay with my old password, or do you recommend changing it into a brand new one? |
| Big thanks to both Kineta and Xinil for providing us some much needed information about this mess of a situation. I will most certainly be lodging a complaint towards DeNA regarding their inexcusable lack of communication. I had originally assumed in all my cynicism that this API issue was some surreptitious attempt to force out all third party apps in favor of the "official" brand, but thankfully that seems to not be the case. I do hope that things are repaired in a timely manner so that using this site with a mobile device isn't such a task. To both the moderation team and third-party devs, thanks for your continued efforts to keeping the spirit of MAL alive.  |
 |
| Thank you, Xinil & Kineta, for keeping us up-to-date and aware of the situation. We all very much appreciate this announcement debriefing. |
 |
More topics from this board
» Try MAL's New Mobile Site! ( 1 2 3 4 5 ... Last Page )Xinil - Feb 15, 2015 |
422 |
by Hayukoo
»»
6 hours ago |
|
» Planned 5hr Maintenance, Thursday April 25 @ 1am-6am PTKineta - Yesterday |
0 |
by Kineta
»»
Yesterday, 8:10 PM |
|
» [Challenge] You Should Read This Manga 2024 ( 1 2 3 4 5 )Kineta - Feb 23 |
204 |
by Dekom
»»
Yesterday, 10:52 AM |
|
» New Site Update: Peak Anime 🗻 ( 1 2 3 4 5 )Kineta - Mar 31 |
213 |
by Lancelot73
»»
Apr 21, 4:28 AM |
|
» Heavenly Easter Delusion: Devil and Dolce ( 1 2 3 4 5 ... Last Page )Kineta - Mar 27 |
3332 |
by Terra_strong
»»
Apr 17, 8:26 PM |