A 15-year-old used ChatGPT to help cancel 46,812 anime streaming accounts
Japanese police arrested a 15-year-old who, they say, found a flaw in Bandai Channel's servers and used a ChatGPT-assisted tool to cancel 46,812 subscriptions in under four hours. The hole he walked through exists in a lot of apps.
A teenager used ChatGPT to cancel 46,812 anime subscriptions. The hole he walked through is in a lot of apps.
Japanese police have arrested a 15-year-old high school student who, they say, cancelled 46,812 subscriptions on the anime streaming service Bandai Channel in a single evening. The part worth paying attention to is not his age. It is how ordinary the flaw he used was, and that a general-purpose AI chatbot helped him turn it into a working attack.
What happened
Bandai Channel is an anime and tokusatsu streaming service run by Bandai Namco Filmworks. On the evening of November 4, 2025, between roughly 5 p.m. and 8:45 p.m., someone sent a stream of false requests to its servers and cancelled 46,812 paying members' subscriptions without permission. The disruption forced the company to partially suspend the service on November 6, and it did not fully recover until December, after system repairs. Bandai Namco Filmworks went to the police, and on July 4, 2026 they arrested a 15-year-old from Saitama Prefecture, near Tokyo.
The student admitted it. In his own words: "I started using computers when I was in the fourth grade and taught myself everything I know. I happened to be able to access the information and had nothing against the company." Police had already arrested him once, on June 13, for logging into the service using account details belonging to 15 other people.
How he got in
According to police and Japanese outlet reports, the student watched the traffic between the app and its servers, spotted a weakness in how the system handled requests, and realized he could reach account information he was never supposed to see. He then used the generative AI chatbot ChatGPT to help write a program that hammered that weak point at scale, cancelling tens of thousands of subscriptions far faster than a person clicking through a website ever could. When the company blocked him, reports say he switched his IP address around 30 times to keep going.
Where this stands
The student faces charges connected to fraudulent obstruction of business and unauthorized access. Bandai Channel is back to normal, and there is no sign the attack was for money or grievance. He says he did it simply because he could. That is not reassuring, it is the point: the same door is standing open on other services, and the next person to notice may not be a bored 15-year-old with nothing against the company.
Why a build studio cares
We wire up auth, databases, and payments into working products on tight timelines, which means account and subscription endpoints exactly like the one abused here are ours to get right. Three defenses would have blunted this attack, and none of them are exotic: check on every single request that the caller is actually allowed to act on that specific account, not just that they are logged in; rate-limit and watch for anomalies, because one source cancelling 46,812 accounts in under four hours should trip an alarm long before it finishes; and treat a changing IP address as a signal, not a reset. The reason we run this checklist is the thing the story really shows. AI now lets someone with modest skill find and exploit the boring flaws fast, so the boring flaws are the ones that get you.
Next step: read The Mainichi's report for the police account, and Automaton West for the technical detail on how the attack was built. If you are shipping a product with accounts, subscriptions, or payments and want a second pair of eyes on the abuse surface before it goes live, write to us at hello@gattyworks.com.