Streaming Service Crunchyroll Blocks Privacy-Focused Email Tutanota Because 'Hackers Use It'

The end-to-end encryption email service, Tutanota, says they are receiving reports that Crunchyroll is not allowing the use of their email addresses when signing up for their service. After contacting their team requiring that their domains be unblocked, they received the following response: "The ban of your domains is because we encountered a lot of hackers that used your domains emails to hack our accounts." From a report: In other words, Crunchyroll believes that many hackers used Tutanota domain emails to hack their accounts, which is why they banned Tutanota from their list. Moreover, they recommend users to use email accounts powered by "Big Tech" companies for hassle-free sign up to their services. This is not entirely a new phenomenon, notes It's FOSS. "DeviantArt actively blocked Proton Mail in the past because spammers used the platform to create accounts. Now, they have unblocked them."

Tutanota recently called out Microsoft for blocking Tutanota users from registering an account with its cloud-based collaboration platform, Teams.

And in enterprise...

[Anonymous Coward]

They continue block anything to do with no-ip.com domains, even though Microsoft sorted out all their issues with them probably eight years ago (in the process of Microsoft somehow getting a court order and seizing 23 of their domains).

(sigh)

[fahrbot-bot]

Crunchyroll Blocks Privacy-Focused Email Tutanota Because 'Hackers Use It'

Not the dumbest thing I've heard all week, but it's pretty fuckin' close.
(To be fair, though, it's only Tuesday.)

Re:

[Anonymous Coward]

"... we encountered a lot of hackers that used your domains emails to hack our accounts."

What the fucking fuck does that even mean?

How does someone "use email" to "hack someone's account"?

Re:

[Kyogreex]

My first thought was that they're using "hack" in a very general sense and that the issue could be that a disproportionate number of Tutanota emails are being used to sign up for a free trial and then cancel, suggesting that users are abusing the free trial. I would assume they have other measures in place to help curb this but they might be poor, making it "easier" to just block the entire service.

Re:

[Anonymous Coward]

Translation: Some guy did that a couple times, possibly using multiple tutanota email addresses, and because few paying customers use tutanota, it stood out to the miffed overzealous admin. So they thought it was safe to block and claim "hackers!" not realising how stupid it sounds to anyone with at least half a clue. Trouble was, those tutanota guys actually care and asked about it when a user told them about it.

Re:

[Bite The Pillow]

It's their service, they can reject as they please.

How many people are affected? The number of privacy focused users signing up to a Sony service has to be in the single digits.

I mean, I have a separate throwaway email address for EVERY PIZZA PLACE (that requires one). Online orders go through no hassle, but the only search results you should get are if the place gets hacked. And no I don't get delivery, that takes more time and costs more money. Point is, I'm trying to find a reason to care and I just

Re: Good

[RegistrationIsDumb83]

And yet I get more spam from Gmail than anywhere else. They don't even have a working abuse@ address to report spam to.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Good

[Sleeping Kirby]

Except that's not what's going on. Looking at their wikipedia page:

Tutanota offers end-to-end encryption for emails sent from one Tutanota user to another. Tutanota also encrypts all emails and contacts stored in their servers,[18][unreliable source] "except for email addresses of users as well as senders and recipients of emails"[19] and "date of an email sent or received".[20] Emails sent non-encrypted, are encrypted only between the Tutanona user and Tutanota servers, and then sent unencrypted to destination user

Also, they open source their server and app code:
https://github.com/tutao/tutan... [github.com]

So, to crunchyroll, those emails aren't encrypted nor does it hide their origin. While I agree with janky email services should be blocked, what constitutes a janky email service? What makes them janky? Particular more janky than, say, hotmail? Or yahoo mail? Or someone starting their own domain? (Not rhetorical questions. Genuinely asking.) How can one start an email service and not be considered janky? Like, let's say I start one tomorrow. All the SPF are there. I make sure that only accounts that don't abuse or spam are on the server. I start out as with 200 email accounts. My service would still be considered janky because it's small, unknown and untested.
In the end, it's crunchyroll's service and their decision. But it doesn't seem like a well-informed decision. Which is on brand for crunchyroll, as most anime lovers would know.

Re:

[Sleeping Kirby]

They're "janky" because they don't do anything to prevent abuse which facilitates the abuse of services that offer free-trials.

Can you provide a source for that that says they didn't do anything to prevent abuses more than gmail, hotmail, yahoo mail or protonmail? (Again, not rhetorical. I would really like a source.)

Re:

[Sleeping Kirby]

who cares, crunchyroll can do whatever they want. if they take action that causes them to lose customers then that's too bad for them. if a large percentage of signups from a particular email provider are abusing their trial system then maybe its in their interest to ban signups from that provider.

I literally made that exact point.

In the end, it's crunchyroll's service and their decision. But it doesn't seem like a well-informed decision. Which is on brand for crunchyroll, as most anime lovers would know.

Re:

[fmonteiro]

Also, they open source their server and app code:
https://github.com/tutao/tutan... [github.com]

not their server, I don't think so, just their clients

Re:

[Sleeping Kirby]

Thank you for the correction. You're right. I don't see the server repo. Doesn't void my question, but it's good to be accurate.

The real villian

[freeze128]

Sony owns Crunchyroll, so now you know who to be mad at.

Is your son a computer hacker?

[arosenfield]

Signs that your son may be a computer hacker [gwern.net] (2001):

1. Has your son asked you to change ISPs?
2. Are you finding programs on your computer that you don't remember installing?
3. Has your child asked for new hardware?
4. Does your child read hacking manuals?
5. How much time does your child spend using the computer each day?
6. Does your son use Quake?
7. Is your son becoming argumentative and surly in his social behaviour?
8. Is your son obsessed with "Lunix"?
9. Has your son radically changed his appearance?
10. Is your son struggling academically?

I guess in 2022, we can add "Does your son use Tutanota email?" to the list.

Re:

[93 Escort Wagon]

6. Does your son use Quake?

That got a chuckle out of me ("use" Quake?); but then

8. Is your son obsessed with "Lunix"?

made me laugh out loud!

However I was a bit disappointed when I started reading the original post and quickly realized it was a joke. In any case well played, Mr. Gibbons.

Re:

[ToasterMonkey]

8. Is your son obsessed with "Lunix"?

BSD, Lunix, Debian and Mandrake are all versions of an illegal hacker operation system, invented by a Soviet computer hacker named Linyos Torovoltos, before the Russians lost the Cold War. It is based on a program called "xenix", which was written by Microsoft for the US government. These programs are used by hackers to break into other people's computer systems to steal credit card numbers. They may also be used to break into people's stereos to steal their music, using the "mp3" program. Torovoltos is a notorious hacker, responsible for writing many hacker programs, such as "telnet", which is used by hackers to connect to machines on the internet without using a telephone.

Hilarious

Re:

[jimbobxxx]

Your daughter could also be obsessed with Lunix.

Re:

[ChitlinCookoffChamp]

Popular hacker software includes "Comet Cursor", "Bonzi Buddy" and "Flash".

I was just the right amount of stoned when I read whatever the fuck this drivel is

Re: Is your son a computer hacker?

[sanf780]

Not sure where you get ahold of this thread - the description attached to each question have questionable reasonings. Like for example: telling Flash or Bonzi Buddy are hacker tools, or that AMD are hacking friendly CPUs as well as anti USA.

Re:

[Chris Mattern]

"The minute your son leaves the house, does he rebuckle his knickerbockers *below* the knee?"

Re:

[NoWayNoShapeNoForm]

TL;DR

Could be summed up in a single sentence: "If you use the Internet, then you might be a hax0r and therefore we shall not serve you."

What's the problem?

[innocent_white_lamb]

I block certain email providers from sending email to my mailserver too. And I block certain IP addresses from connecting to my webserver.

That's part of system administration.

Re:

[nadass]

They blocked your decade-old account that uses a year-old @duck.com email forwarding service? Or, they prevented you from updating your account email to @duck.com? Or, they wouldn't allow you to create a new account with @duck.com because your IP address matches a decade-old account already?!

Published yesterday - and today

[atol]

Are we running out of DATA? The Propelheads: I ate one of those and infarct it was my left leg. Computer do need energy to run.

Publish hacker domain stats

[misnohmer]

How many Crunchyroll hackers used @gmail.com, @yahoo.com, etc? It would be interesting to know how many detected hacker attempts used emails from what domains.

Re:

[93 Escort Wagon]

I've noticed on the various Crunchyroll "news" pages - they've got a real problem with spammy comment posts of the type "I work from home, spend 6 hours and make $74,392 a week". You need to create an account to make those posts... maybe Tutanota accounts make up some significant percentage of the addresses used to create those accounts?

Or, alternatively, a Tutanola account was used to send spam to some VP and he demanded action!

Re:

[arQon]

IME, a majority of those are gmail accounts - specifically *because* nobody's going to block gmail. Not just on CR, but Anandtech and numerous other sites as well.

Apparently, gmail's "no signup without also giving us your cellphone number" policy has no impact at all on "professional" spammers. IDK why not, but I'm guessing it's because India / China / wherever has either an easily-manipulated system or a social workaround for it. Since the point was solely to capture the phone#-email pair for better tracki

"Highly sophisticated" hackers, clearly

[arQon]

... who sign their RATs with their email addresses? :eyeroll:

This has to be the thinnest pretense I've ever seen for "No, we want the address you use for Facebook etc, because otherwise the tracking doesn't work" - and I've seen a LOT of that in the last few years. Yet another thing we can thank "social media" for.

If they wanted to claim that "hackers" were spamming their forums with those accounts, they'd at least technically have some credibility even though the lie would still be obvious. (Not least because they've been hiding the forums deeper with each passing year, but that's beside the point here).
That they're apparently not even putting THAT much effort into this deception though just shows how much they don't care - which is hardly a surprise, since Sony now has an effective monopoly on ~95% of legal US distribution, and I doubt the situation is much different anywhere else in the world outside of Japan.

On a related note, I have an account there on the free tier created years ago with a truly throwaway email address (i.e. mailinator, not even a hotmail / yahoo level one). I just checked, and the account still works, but you can't sign up with that same domain any more either.

Re:

[ToasterMonkey]

They might just mean people subscribing with stolen CC, which makes some sense, not the sillines you are all reading into it.

Sketchy Anyway

[bill_mcgonigle]

Tutanota has been saying for years that they'll have an .onion address soon and that they care about privacy so much.

Four years later ... they still don't have one and want your IP address.

Everybody wants to track the world.

No nice things

[The-Ixian]

Sort of like how I can no longer use my Google Voice number in the *required* phone number field for a lot of sites...

So sad. Bad apples ruin the whole bunch...

*facepalm*

[Travelsonic]

IDK if this reasoning for banning emails using that service falls into the "tech illiterate" camp, or the "logic illiterate" camp (or if they overlap).

Nobody wants anonymous signups

[Ed Tice]

If you are an information service provider, you want to know your customer. You can't go to a bank and open an anonymous account. If the service is abused, the service provider wants to be able to respond. Many allow pseudo-anonymous signups. That is, they don't ask for all of your data, but they do get enough information that, in the case of serious crimes, they are likely to be successful unmasking your identity. This is a relatively good balance. It prevents rampant doxing. But it also means that

Email accounts powered by "Big Tech" companies?

[DERoss]

Hell no! I avoid Big Tech, which too often has no regard for my privacy.

Yes, my broadband Internet connection is through Spectrum because AT&T is the only alternative where I live. However, I rarely use the Spectrum E-mail address that came with the account. My primary E-mail account -- and my Web host -- is with a relatively unknown regional ISP that does not offer an Internet connection where I live.