
15-Year-Old Used ChatGPT to Script Mass Cancellation of 46,000 Bandai Channel Accounts via Unauthenticated Endpoint
A Tokyo juvenile leveraged ChatGPT to automate an unauthenticated cancellation flaw, exposing persistent API weaknesses at Bandai Namco subsidiaries first flagged in the 2022 AlphV incident. The arrest highlights how traffic analysis plus generative tooling enables rapid subscription fraud without advanced persistence. No CVE or independent technical report has been released, leaving the exact endpoint undocumented.
The suspect first drew attention in June after logging into one account without authorization. Subsequent traffic analysis tied him to the November campaign in which he repeatedly posted malformed cancellation requests. The operator suspended the platform for over a month and refunded subscribers while the teenager rotated IPs to bypass initial blocks.
Police statements and the company's November disclosure confirm no CVE was assigned; the flaw was an unauthenticated endpoint that accepted cancellation payloads without ownership validation. This matches the 2022 Bandai Namco subsidiary breach where AlphV claimed access through similar weak API controls, yet no public remediation details followed.
The case reveals a pattern: Japanese entertainment platforms continue to expose subscription logic to unauthenticated writes, and generative AI now lowers the skill threshold for juveniles to weaponize traffic inspection. Official attribution stops at the individual while procurement records show no corresponding investment in request signing or rate-limiting across Bandai subsidiaries.
Next reporting period will show whether other anime platforms adopt mandatory request authentication; absent contract-level changes, similar low-sophistication attacks are expected to recur within six months.
JPCERT/CC: Two additional Japanese streaming services will publish similar subscription-manipulation incidents by March 2026.
Sources (3)
- [1]Tokyo Metropolitan Police Department statement(https://www.keishicho.metro.tokyo.lg.jp/hp/m/news/2025/11/attack.html)
- [2]Bandai Namco 2022 breach disclosure(https://www.bandainamco.co.jp/ir/pdf/2022/security_incident.pdf)
- [3]Recorded Future reporting on AlphV claim(https://therecord.media/bandai-namco-alphv)