Crunchyroll investigates data breach affecting 6.8M users

The anime streaming service Crunchyroll is actively investigating a significant data security incident after hackers asserted they stole personal information tied to roughly 6.8 million users. The company confirmed it is working with top-tier cybersecurity professionals to assess the claims. According to its latest statement, the preliminary investigation suggests the compromised information is largely confined to customer service ticket data stemming from an issue with a third-party vendor. Crunchyroll stated it has not found evidence of persistent unauthorized access to its core systems and is monitoring the situation.

The breach claims originated from a threat actor who contacted a cybersecurity news outlet last week. The hacker alleged they gained access on March 12 by compromising the Okta single sign-on account of a support agent. This agent reportedly works for Telus International, a business process outsourcing firm that handles Crunchyroll support tickets. The attackers claim they used malware to infect the agent’s computer and steal their login credentials.

With these stolen credentials, the intruders say they accessed several of Crunchyroll’s internal platforms, including Zendesk, Google Workspace, and Slack. The primary target was the Zendesk support system, from which they allegedly downloaded 8 million ticket records containing 6.8 million unique email addresses. Samples of these tickets, which were viewed before being deleted, included user names, email and IP addresses, general locations, and the full text of support inquiries.

While some reports suggested financial data was exposed, analysis indicates credit card information was only present when customers voluntarily included it within a support ticket. In most cases, this involved partial details like the last four digits or an expiration date, with only a handful of tickets containing full card numbers. The visible tickets all referenced Telus, supporting the narrative that a BPO employee was the initial point of compromise. The threat actor states their access was cut off after one day, but they had already exfiltrated data up to mid-2025. They also claim to have sent a ransom demand for $5 million to Crunchyroll, which went unanswered. This incident is not believed to be connected to a separate, larger breach involving Telus Digital.

Business process outsourcing companies have emerged as prime targets for cybercriminals in recent years. These firms often manage sensitive functions like customer support and billing for multiple clients, making them a lucrative single point of failure. By breaching just one BPO employee, attackers can potentially access vast troves of data across numerous corporations.

Threat actors have employed various methods to exploit BPOs, including bribing insiders, using social engineering tactics against support staff, and directly hijacking employee accounts. In a notable previous case, attackers posing as an employee tricked a help desk agent at Cognizant into granting access that led to a network breach at Clorox. Major retailers like Marks & Spencer and Co-op have also confirmed that social engineering attacks against support personnel enabled network intrusions and data theft, prompting the U. K. government to issue specific guidance on such threats.

Sometimes, the attack focuses directly on the BPO’s systems. For example, Discord disclosed a breach last October where its Zendesk support instance was compromised, potentially exposing data of 5.5 million users. These incidents underscore the elevated security risk posed by third-party vendors with extensive access to customer data.