Hackers are claiming to have compromised a senior executive’s account at Viz Media, a major U.S. anime and manga publisher, allegedly exfiltrating over 250 gigabytes of sensitive corporate data. The alleged breach was announced on an underground data leak forum, with the attackers claiming access to a vice president’s Google Drive and other internal systems. Viz Media has yet to publicly acknowledge the claims.
Details of the Alleged Viz Media Data Breach
The alleged breach, first reported by cybersecurity news outlets, indicates that the attackers gained access to a Google account belonging to a Viz Media vice president. This infiltration reportedly granted them broad access to various internal company systems. Researchers from Cybernews, who investigated the claims, suggest the compromise likely stemmed from a social engineering attack targeting the executive.
Stolen Data and System Access
The hackers claim to have stolen over 250 GB of data. Samples shared by the attackers, as noted by Cybernews, suggest access to a wide array of sensitive information and systems, including:
- Corporate Google Drive and Gmail accounts
- Viz Media’s internal dashboards
- Mediabox’s royalty management dashboard
- Employee credentials and IDs
- Emails
- Non-disclosure agreements (NDAs)
- Licensing deals and agreements
- Business plans and future project data
- Employee Social Security numbers
- Invoices and royalty statements
The attackers are reportedly attempting to sell the stolen data and access for an undisclosed five-figure sum on dark web forums.
Potential Impact and Cybersecurity Concerns
The alleged breach highlights significant cybersecurity vulnerabilities, particularly concerning privileged accounts. Security experts emphasize that compromising a single, highly-privileged account can provide extensive access to a company’s entire internal system, creating a “single point of catastrophic failure.”
Risks to Viz Media and Partners
If confirmed, the exfiltrated data could pose severe risks:
- Further System Compromise: The stolen credentials and internal information could be used to launch more sophisticated phishing attacks against Viz Media’s partners and vendors, potentially compromising additional systems.
- Exposure of Confidential Agreements: The breach could expose sensitive agreements and communications with Viz Media’s Japanese parent companies, Shogakukan and Shueisha, as well as other major partners in the anime and entertainment industry.
- Intellectual Property and Corporate Strategy Theft: The data may include unreleased project plans, IP licensing deals, and corporate strategy documents, which could be exploited by competitors or state actors.
- Regulatory and Legal Consequences: With the potential exposure of employee Social Security numbers and other personally identifiable information (PII), Viz Media, as a U.S.-based company, could face severe regulatory penalties under laws like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
- Reputational Damage: A confirmed breach of this magnitude could significantly damage Viz Media’s reputation and trust with its employees, partners, and customers.
Viz Media’s Response
As of the latest reports, Viz Media has not yet issued an official statement or acknowledged the alleged data breach. Cybersecurity news outlets, including Cybernews and Anime News Network, have reached out to Viz Media for comment but have not yet received a reply.
The incident underscores the critical need for robust access management and enhanced protection against social engineering attacks, particularly for accounts with extensive organizational privileges.
