Crunchyroll Investigates Breach After Hacker Claims Mass User Data Theft

A threat actor contacted BleepingComputer last Thursday and claimed they breached Crunchyroll on March 12 at 9 p.m. ET, after gaining access to the Okta single sign-on account of a support agent working for the company. The entry point was not Crunchyroll itself, but a contractor: the support agent was an employee of Telus, a business process vendor of Crunchyroll in India that has access to Crunchyroll support tickets.

Crunchyroll told BleepingComputer: "We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter." The company subsequently issued a second, more specific statement: "Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor. We have not identified evidence of ongoing access to systems in relation to these claims. We are continuing to monitor the situation closely."

The mechanics of the intrusion, as described by the attacker, followed a well-worn playbook against outsourced support operations. The threat actor told BleepingComputer they infected a contractor's device with malware, captured Okta single sign-on credentials, and pivoted into a range of services used by the platform's support and operations teams. Cited systems include Zendesk, Google Workspace Mail, Slack, Mixpanel, Jira Service Management, Wizer, and MaestroQA. The support tickets seen by BleepingComputer all reference Telus, supporting the threat actor's claim that they compromised a BPO employee.

Within a reported 24-hour window before access was cut, the hackers say they downloaded about 8 million support ticket records from Zendesk, containing 6.8 million unique email addresses. Samples of the support tickets seen by BleepingComputer contain a wide variety of information, including the Crunchyroll user's name, login name, email address, IP address, general geographic location, and the contents of the support tickets. On payment data, the attacker's own account was relatively narrow: BleepingComputer confirmed that credit card details were exposed only when the customer shared them in the support ticket, and for the most part this included only basic information, such as the last four digits or expiration dates, with only a few containing full card numbers.

A separate claim from cybersecurity newsletter International Cyber Digest put the volume at a different scale. A threat actor exfiltrated data from Crunchyroll's ticketing system and also managed to pull 100 GB of personally identifiable customer analytics data. International Cyber Digest confirmed that samples included IP addresses, email addresses, and other information. The 6.8 million record count and the 100 GB volume figure are separate claims from different sources and have not been reconciled by Crunchyroll.

The hacker claims to have sent extortion emails to Crunchyroll demanding $5 million in exchange for not publicly leaking the data, but did not receive a response from the company. The silence from the company on the ransom demand stands in contrast to its willingness to issue a public investigatory statement.

The potential scale of exposure is significant given Crunchyroll's subscriber footprint. Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million people out of a platform that, per Reuters, carried a paid member base of over 17 million as of March 2025. The streaming site, which Sony acquired from AT&T in 2020 for $1.18 billion, operates as a joint venture between U.S.-based Sony Pictures Entertainment and Japan-based Aniplex.

While this attack targeted a Telus employee, BleepingComputer was told it was not related to the massive breach at Telus Digital by the ShinyHunters extortion gang. That distinction matters given that business process outsourcing companies have become high-value targets for threat actors over the past few years, as they often handle customer support, billing, and internal authentication systems for multiple companies, meaning a single compromised BPO employee can unlock large volumes of customer and corporate data across multiple clients.

Crunchyroll has not publicly detailed the scope of any exposure, what data categories might be affected, or which geographies are involved, and has not issued customer notifications or password resets. With the company's investigation active and the attacker's data reportedly unpublished, the scope of confirmed harm remains contested until Crunchyroll or an independent forensic review produces verified figures.