MyAnimeList Down After Vulnerability Discovered

Update: MyAnimeList is now down for maintenance completely, and presents the following message when you try to visit the domain:

MyAnimeList.net is currently undergoing extensive server maintenance for an undetermined amount of time.
We apologize for the inconvenience and hope to be back online as soon as possible!
Please wait for the official announcement.

At this juncture, we have no further information on what exactly prompted DeNA to temporarily take the service down, but it is likely that the previously-disclosed vulnerability is more severe and wide-ranging than initially thought. As such, it’s important to reiterate the advice given in the article below: if you have reused your MyAnimeList password for any other website, please change it on those sites as soon as possible.

Update 2: MyAnimeList have updated their website, and posted the following statement to their social media channels regarding the downtime:

The text in the image reads:

MyAnimeList.net is currently down for maintenance.

Dear Users, The current maintenance period is a result of discovering a point in our security system that merited looking into further for any potential issues. Thus far, we have not found anything significant, but in the best interest of our users, and in an overabundance of caution, the maintenance period will continue until we have concluded our review. Having said that, we hope to have this matter resolved quickly, and will keep you apprised of when the site will be back online via MAL’s official site and social media accounts. We regret any inconveniences caused, and thank you for your patience and understanding.

How to Contact Us:

If you have any questions regarding this matter, please contact our Customer Service team (rather than the MAL moderation team).

Sincerely,

The MyAnimeList Development Team

Original article: We’ve received word that users attempting to log into MyAnimeList today are being greeted by an error message stating that their account has been locked, and that they need to reset their password to access the service again. While the message states that there is a vulnerability in the MyAnimeList API, no other information is available at this time. We will update this article if any more information comes to light.

MyAnimeList have also disabled their API, which in practice means that all third-party MyAnimeList apps like Taiga, Pocket MAL, AniList and so on are not currently working, and will continue to not work until the API is re-enabled.

The full text in the error message reads:

The MyAnimeList Team is working to address a vulnerability in the API, which has been made temporarily unavailable while the team works on this issue. Out of an abundance of caution, your MyAnimeList (“MAL”) account has been locked and you must reset your password to access it.

Please undertake the following actions to recover your MAL account:

Step 1: Request a new password from this link: Recover your account

Step 2: After logging in, you MUST change your password from the account Settings page.

*This notice to reset your password only applies to passwords for the MAL website. It does NOT apply to passwords used to log into MAL through Facebook, Twitter, or Google+, and does not affect your ability to log into your MAL account through these social media platforms.

**As security experts generally recommend, you should not use passwords you have used before on the MAL site or any other sites, mobile applications, or other services.

***By entering your MAL username and/or password into services other than the official MyAnimeList website or applications provided by MAL, you are running the risk that the information could be used by the developers of those services. When using any third party service, always consider that you provide your information at your own risk.

How to Contact Us:

If you have any questions regarding this matter, please contact our Customer Service team (rather than the MAL moderation team). We regret any inconvenience this may have caused you.

While MAL is likely to be only forcing password resets to be absolutely sure, it’s currently not possible to rule out the chance that your password may have been leaked from their database. As such, it’s a wise idea to reset your MAL password as soon as possible, even if you only rarely use the service – and if you’ve ever used the same password on MAL and any other sites, be sure to change your password across all of them.

As we’ve advised before, please be sure to keep your accounts safe – here’s some tips:

1. Do not ever re-use passwords between sites, including variations. If you had a single password and an attacker got it, it would give them access to every identity and account you have online. Even changing parts of your password per site won’t stop a committed attacker, so passwords need to be entirely unique.
2. To make the above practical, look into using a password manager such as LastPass (recommended), 1Password, KeePass, or (if you’re exclusively an Apple user) the built-in iCloud Keychain. Each of these allows you to generate a truly random password for every site you visit, and will automatically fill them in for you when visiting sites. Using a password manager makes your life much easier, and makes your accounts much more secure – and they’re generally cheap or free, and very easy to use.
3. Be particularly paranoid about your e-mail address’s security – anyone who gets into your e-mail address can get access to your other accounts too. Use a strong password, and enable two-factor authentication if your provider allows it – most major e-mail providers do. Two-factor authentication can be a bit of a pain, but it’s well worth it for the extra security it provides.
4. Consider plugging your e-mail into Have I Been Pwned to see if you’ve been affected by any of the innumerable data breaches over the last few years. If you have, change all your passwords now – perhaps it’s a good time to get a password manager?