Popular anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million people.
“We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter,” Crunchyroll initially told .
“Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor,” Crunchyroll shared in a later statement.
“We have not identified evidence of ongoing access to systems in relation to these claims. We are continuing to monitor the situation closely.”
This statement comes after a threat actor contacted last Thursday and claimed they breached Crunchyroll on March 12th at 9 PM EST, after gaining access to the Okta SSO account of a support agent working for Crunchyroll.
This support agent is allegedly an employee of the Telus International business process outsourcing (BPO) company, who has access to Crunchyroll support tickets. The threat actors claimed to have used malware to infect the agent’s computer and gain access to their credentials.
From screenshots shared with , these credentials gave access to various Crunchyroll applications, including Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jiro Service Management, and Slack.
Using this access, the attackers say they downloaded 8 million support ticket records from Crunchyroll’s Zendesk instance. Of these records, there are allegedly 6.8 million unique email addresses.
Samples of the support tickets seen by and then deleted contain a wide variety of information, including the Crunchyroll user’s name, login name, email address, IP address, general geographic location, and the contents of the support tickets.
While other reports on the incident claim that credit card information was exposed, has confirmed that credit card details were exposed only when the customer shared them in the support ticket.
For the most part, this included only basic information, such as the last four digits or expiration dates, and only a few contained full card numbers, according to the threat actor.
The support tickets seen by all reference Telus, supporting the threat actor’s claim that they compromised a BPO employee.
The attacker says their access was revoked after 24 hours, letting them steal data up to mid-2025.
The hacker claims to have sent extortion emails to Crunchyroll, demanding $5 million in exchange for not publicly leaking the data, but did not receive a response from the company.
While this attack targeted a Telus employee, was told it was not related to the massive breach at Telus Digital by the ShinyHunters extortion gang.
BPOs are a high-value target
Business process outsourcing companies have become high-value targets for threat actors over the past few years, as they often handle customer support, billing, and internal authentication systems for multiple companies.
As a result, threat actors can compromise a single BPO employee and gain access to large amounts of customer and corporate data across multiple companies.
In the past year, threat actors have exploited BPOs by bribing insiders with legitimate access, social engineering support staff into granting unauthorized access, and compromising BPO employee accounts to reach internal systems.
In one of the most prominent cases, attackers posed as an employee and convinced a Cognizant help desk support agent to grant them access to a Clorox employee account, allowing them to breach the company’s network.
Major retailers also confirmed that social engineering attacks against support personnel enabled ransomware and data theft attacks.
Marks & Spencer confirmed that attackers used social engineering to breach its networks, while Co-op disclosed data theft following a ransomware attack that similarly abused support staff’s access.
In response to the attacks on M&S and Co-op retail companies, the U.K. government issued guidance on social engineering attacks against help desks and BPOs.
In some cases, hackers target the BPO employee accounts themselves to gain access to the customer data they manage.
In October, Discord disclosed a data breach that allegedly exposed data from 5.5 million unique users after its Zendesk support system instance was compromised.
Update 3/23/25 7:51 PM ET: Updated story with additional statement from Crunchyroll.
.ia_ad {
background-color: #f0f6ff;
width: 95%;
max-width: 800px;
margin: 15px auto;
border-radius: 8px;
border: 1px solid #d6ddee;
display: flex;
align-items: stretch;
padding: 0;
overflow: hidden;
}
.ia_lef {
flex: 1;
max-width: 200px;
height: auto;
display: flex;
align-items: stretch;
}
.ia_lef a {
display: flex;
width: 100%;
height: 100%;
}
.ia_lef a img {
width: 100%;
height: 100%;
border-radius: 8px 0 0 8px;
margin: 0;
display: block;
}
.ia_rig {
flex: 2;
padding: 10px;
display: flex;
flex-direction: column;
justify-content: center;
}
.ia_rig h2 {
font-size: 17px !important;
font-weight: 700;
color: #333;
line-height: 1.4;
font-family: Georgia, “Times New Roman”, Times, serif;
margin: 0 0 14px 0;
}
.ia_rig p {
font-weight: bold;
font-size: 14px;
margin: 0 0 clamp(6px, 2vw, 14px) 0;
}
.ia_button {
background-color: #FFF;
border: 1px solid #3b59aa;
color: black;
text-align: center;
text-decoration: none;
border-radius: 8px;
display: inline-block;
font-size: 16px;
font-weight: bold;
cursor: pointer;
padding: 10px 20px;
width: fit-content;
}
.ia_button a {
text-decoration: none;
color: inherit;
display: block;
}
@media (max-width: 600px) {
.ia_ad {
flex-direction: column;
align-items: center;
}
.ia_lef {
max-width: 100%;
}
.ia_lef a img {
border-radius: 8px 8px 0 0;
}
.ia_rig {
padding: 15px;
width: 100%;
}
.ia_button {
width: 100%;
margin: 0px auto;
}
}
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Comments