Security Breach

IYUNO hacked resulting in what might be the largest leak of film and television in history.

photo of Travis Doering
Travis Doering
8 August 2024
5 min read

Introduction

On August 6th, 2024, at 14:25 UTC, the first posts of unreleased film and television shows began surfacing online, with several of Netflix’s 2024 and 2025 slate of anime shows being posted on the anonymous imageboard 4chan. Initially believed to be a breach at Netflix, it soon became clear that this incident extended far beyond a single company. The breach has impacted nearly every major distributor, all with ties to a single company: IYUNO.

IYUNO is a post-production facility that provides subtitling, translation, and language dubbing services with offices and facilities located in 35 countries around the world. To quote their founder and CEO David Lee, “IYUNO is the largest media localization company in the world”. According to Mr. Lee, IYUNO currently works with Apple, Netflix, Amazon,Disney, ViaCom, Sony Pictures, amongst other industry leaders. The scale of IYUNO’s domination in the market of media localization is truly staggering, as on an annual basis IYUNO produces an average of 600,000 running time hours of content [1]. This works out to roughly 80,000 TV shows, if we assume a standard order of 10 episodes at the traditional 45 minute length. Given this scale, the breach could have catastrophic implications for the film industry.

The Discovery

On August 7th, 2024, we received a notification from an internal tool we designed for a client in the film industry. This tool monitors the web for any publication of our client’s internal data. The tool alerted us that several unreleased workprints had been published on 4chan, a website flagged as high-risk by our system.

This discovery initiated an investigation, and we assigned a researcher to determine whether this breach had affected our client. We found that over 45 media files had already been leaked from a wide range of distribution companies. Some of these media files included Spellbound from Netflix, set to release in November 2024, Plankton: The Movie from Nickelodeon Animation Studios, expected to release in 2025; Arcane Strife from Riot Games, expected to release in November 2024; and even the reboot of Barney's World from Turner Broadcasting, expected to release sometime this year, in 2024.

Screenshot showing IYUNO watermark.
Screenshots showing IYUNO watermark

While the initial files had watermarks that had been covered by the threat actor leaking the content, we later found others where the watermarks were unredacted, showing the words "IYUNO." Digging deeper, we discovered a 4chan thread discussing the leaked media, where one particularly interesting user (User A) claimed to have had access to IYUNO’s internal web application and stated that this was the source of the stolen media now being published online. User A posted screenshots claiming to show access to the internal system; however, these screenshots could not be independently verified. [2]

Sheetshot showing login for iyuno form User A
Screenshot provided by User A

User A also claimed that the breach originated from an API used during the registration process of the internal web application, which was deployed in an insecure manner. This vulnerability allegedly allowed any public email address to register an account and access IYUNO’s internal content management system, which hosts a plethora of unreleased and released media.

While no proof has been posted to back up the claims regarding the vulnerability, there is another clue pointing to an internal web application as the source of the breach: all the posted files appear to have been encoded in the same distinct way—a resolution of 640 by 360, encoded using FFmpeg, a common choice for server-side encoding. This highly compressed encoding would make sense if IYUNO wanted to limit bandwidth consumption on their platform being that they have workers from all over the world.

The Future

This is not the first time that a post-production facility has been the source of unreleased media being published online. In 2017, a malicious actor claiming to be a member of The Dark Overlord hacking group released unreleased episodes of popular shows stolen from Larson Studios, a company specializing in post-production sound. Larson Studios later closed in 2019, with its assets auctioned off to the highest bidder—a fate that is unsurprising given that the hack led to their clients being blackmailed by malicious actors. [3]

In today’s digital distribution society, media files are a distributor’s golden ticket, as every frame represents an enormous investment. The unauthorized release of media can have devastating consequences, especially as online piracy continues to grow. Visits to piracy sites increased by 36% compared to 2020, according to findings from UK-based Muso, which monitors online piracy, and consulting firm Kearney. [4]

Media files should be treated with extreme care by production and distribution companies and should not be transferred into uncontrolled third-party environments. Relying on self-auditing or the completion of an Excel security assessment questionnaire provides nothing but a false sense of security. It is time for distributors to act by conducting in-person IT audits of all third-party vendors handling sensitive media files.

At this point, there is no way to truly know the number of affected productions without IYUNO conducting an internal audit. However, it’s very likely that we have not seen the last of IYUNO’s data being dumped online.

Sources:

[1]: https://www.youtube.com/watch?v=dRJVKoYhisM
[2]: https://archive.4plebs.org/tv/thread/202272720/

[3] https://thinkonyx.com/sale/larson-studios/

[4]https://www.muso.com/kearneyreport?hsCtaTracking=24c73366-b7e5-4680-826a-328deab1fff1%7Cea073486-f09a-4435-bc94-e28402fbf9a8

MomentPort's services, we bring your vision to life.

By working with us, you benefit from gaining a team of experts each specialized in their own field, all while optimizing your budget.

Quality custom development.

Work with us