Japanese police have arrested an unnamed teenage student from a city near Tokyo for allegedly exploiting a security flaw in a subscription-based anime streaming service. The attack resulted in the fraudulent cancellation of more than 46,000 user subscriptions, disrupting access for a significant portion of the platform's customer base.
The suspect, whose name has not been released due to his minor status, reportedly used the vulnerability to bypass authentication or authorization controls within the streaming service's backend. The specific flaw—likely involving improper input validation or an insecure direct object reference—allowed him to programmatically process mass cancellations without proper user consent.
At this stage, law enforcement has not disclosed whether the vulnerability was previously unknown (a zero-day) or a known issue the platform had failed to patch. The investigation is ongoing to determine if the student acted alone or was part of a larger group targeting the service.
No details have emerged regarding whether the streaming service has identified and remediated the exploited flaw. Users of the platform are advised to verify their subscription status and report any unauthorized changes to the company's support team.
The arrest highlights the growing risk of cybercrime among young individuals who may underestimate the legal consequences of conducting such attacks. In Japan, unauthorized access and computer fraud carry severe penalties, including prison time, even for minors.