MyAnimeList, the popular anime and manga tracking website, is currently offline due to a vulnerability that was discovered earlier today. According to user reports, the website was breached earlier today and all titles on it were changed to “LET’S ALL LOVE LAIN” (a reference to the 1998 Serial Experiments Lain anime).
A tweet issued on My Anime List’s official Twitter states:
We are undergoing emergency maintenance as our team works to investigate and repair a vulnerability that was discovered this morning PDT. At this time, we are unsure of how long the maintenance will take. We will update you when we know more. We apologize for the inconvenience.
In 2017, Crunchyroll was hacked and users were greeted with a message directing them to a malicious website that offered downloads of infected files. This breach does not seem malicious and while the website was down earlier, it is currently displaying an “Under maintenance” notice.
MyAnimeList (MAL) was launched in 2004 as a passion project by Garrett Gyssler. CraveOnline bought it in 2008 and remained as the owner until 2015 when DeNA bought it. Media Do, a Japanese distribution company, acquired the website in 2019.
MAL website currently has an online manga store, created in partnership with Kodansha Comics and Viz Media, allowing users to purchase manga digitally from the website. In the past, they offered video embeds from Crunchyroll, Hulu, and later HIDIVE. Kodansha, Shueisha and Shogakukan revealed that they invested in the website. It is the top tracking website among anime and manga fans at the moment – with many using it to rate their favorite seasonals and discuss new releases.
This is not the first unexpected downtime for MAL: in 2018 site staff took the website offline for maintenance, citing security and privacy concerns (GDPR compliance). Third-party API was disabled at the time (it was only recently reinstated).
UPDATE: MAL issued a detailed statement on the attack and steps that are being taken:
A malicious individual overwrote anime database information to modify all titles to “Let’s All Love Lain”. User scores were also tampered with. Additionally, a javascript alert was inserted to display a pop-up to users who visited their profile or list during the attack. Our website, apps and APIs were put into emergency maintenance as soon as the attack was discovered. To protect our community, we cannot restore the website until we are fully confident that all hacking methods used by the attacker have been identified and resolved.
