Crunchyroll Faces $5 Million Extortion Demand After Alleged Massive Data Breach

A threat actor who claimed to have breached Sony-owned anime streamer Crunchyroll on March 12 sent extortion emails demanding $5 million to prevent public release of stolen data, receiving no response from the company, according to cybersecurity outlet BleepingComputer, which was contacted directly by the attacker.

Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million people. "We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter," the company said. In a follow-up statement issued later on March 23, Crunchyroll said its "investigation is ongoing" and added that it believes "the information is primarily limited to customer service ticket data following an incident with a third-party vendor," and that it had "not identified evidence of ongoing access to systems."

A threat actor contacted BleepingComputer last Thursday and claimed to have breached Crunchyroll on March 12 at 9 PM EST, after gaining access to the Okta SSO account of a support agent working for the company. The support agent is reported to be an employee of Telus International, a business process outsourcing company with access to Crunchyroll support tickets. The threat actor told BleepingComputer they infected the contractor's device with malware, captured Okta single sign-on credentials, and pivoted into a range of services used by the platform's support and operations teams.

Cited systems include Zendesk, Google Workspace Mail, Slack, Mixpanel, Jira Service Management, Wizer, and MaestroQA. Within a reported 24-hour window before access was cut, the hackers say they downloaded about 8 million support ticket records from Zendesk, containing 6.8 million unique email addresses. The stolen records, samples of which were seen by BleepingComputer before being deleted, contained each user's name, login name, email address, IP address, general geographic location, and the full contents of support tickets. Attackers also claimed to have taken data stretching back to mid-2025.

The hacker claimed to have sent extortion emails demanding $5 million in exchange for not publicly leaking the data, but did not receive a response from the company. The scale of the potential exposure is significant: Crunchyroll had a paid member base of over 17 million as of March 2025, meaning the claimed 6.8 million affected email addresses would represent a substantial share of its subscriber base.

Some reports initially claimed credit card information was among the exposed data. BleepingComputer confirmed with the threat actor that credit card details were exposed only in cases where customers had themselves included that information in the body of a support ticket, not from a breach of payment systems.

The attacker also claimed to have stolen roughly 100 GB of user analytics data, a figure reported by the X account International Cyber Digest after the hacker shared screenshots. Telus separately confirmed an incident involving the ShinyHunters hacking group on the same day the Crunchyroll claim surfaced, though current indicators suggest the two intrusions are unrelated. BleepingComputer was told the attack targeting the Telus employee was not related to the massive breach at Telus Digital by the ShinyHunters extortion gang.

Business process outsourcing companies have become high-value targets for threat actors over the past few years, as they often handle customer support, billing, and internal authentication systems for multiple companies, meaning a single compromised BPO employee can expose large amounts of customer and corporate data across multiple organizations. Both Crunchyroll and parent Sony Group did not immediately respond to Reuters' requests for comment.

The investigation remains active, with the scope and full extent of the exposure still unverified by independent forensic analysis. No regulatory notifications or direct customer communications had been confirmed as of March 24.