Crunchyroll Investigates Massive Data Breach: 6.8 Million Users’ Personal Info Stolen

Crunchyroll is currently in the midst of investigating a security incident after a hacker claimed to have accessed a trove of user data affecting millions. The claim centers on an intrusion that reportedly occurred on March 12, late in the evening, through the compromised Okta single sign-on account of a customer support agent employed by a business process outsourcing partner. According to the attacker, the breach allowed access to Crunchyroll’s internal tools and ticketing systems, and enabled the download of a large volume of records.

The adversary asserted that credentials gained from the compromised agent granted access to multiple Crunchyroll workflows and services. Screenshots shared with reporting outlets show that the intruder moved beyond a single system to reach a suite of applications, including the company’s Zendesk ticketing platform, as well as auxiliary tools used for security awareness, customer support quality assurance, analytics, and internal communications. The attacker claims to have pulled roughly eight million support tickets from Zendesk, of which about 6.8 million are said to correspond to unique email addresses.

Within samples of the tickets observed by researchers, the attacker described a range of sensitive data fields. These included user names, login handles, email addresses, IP addresses, approximate geographic information, and the contents of the support tickets themselves. While there were reports of exposed payment card information, investigators indicate that credit card data was not indiscriminately exposed. In most cases, card details would have only appeared if a customer had included them in a ticket; even then, the exposure was generally limited to partial data such as the last four digits or expiry dates, with only a few instances showing full card numbers.

The timeline painted by the attacker suggests the access was curtailed within about 24 hours, but not before data could be exfiltrated up to mid-2025. The intruder also claimed to have sent extortion emails demanding five million dollars in exchange for not releasing the data publicly, though there is no reported response from Crunchyroll to these threats.

Authorities and security researchers have emphasized that, in this case, the breach appeared to be linked to a Telus employee via the outsourcing arrangement rather than to Crunchyroll’s internal systems directly. While the attacker’s narrative links the incident to the Telus relationship, supervision of the larger Telus breach with a separate 1-petabyte data theft incident is said to be unrelated according to initial reporting from the same outlets.

The incident underscores a broader pattern: business process outsourcing firms are increasingly targeted because they sit at points where multiple organizations’ data and authentication workflows converge. A single compromised BPO employee can potentially unlock access to a broad swath of customer data across different companies. Over the past year, attackers have exploited insider access, social engineering, and compromised credential chains to slip past help desks and other frontline defenses. The trend has been documented in several high-profile cases, including ones where attackers impersonated staff to gain entry to corporate networks, and where social engineering at help desks enabled ransomware and data theft.

Past incidents have shown that social engineering can be a decisive pivot point. In one well-known example, attackers persuaded a Cognizant help desk agent to grant access to a Clorox-associated account, enabling a wider breach. Retail and consumer brands have also reported breaches resulting from manipulated support staff credentials, with major retailers acknowledging that help desk compromises formed part of the attack chain. In the United Kingdom, government guidance has highlighted the risk of social engineering against help desks and BPOs as a key vector for breaches, encouraging tighter controls around identity verification and access management in these environments.

There are additional cautionary tales in the cybersecurity landscape. In October, a well-known messaging and social platform reported a data breach that allegedly exposed tens of millions of user records after its Zendesk-based support channel was compromised. The common thread across these events is the exposure of privileged or privileged-like access through support and ticketing ecosystems, followed by attempts to monetize the data via extortion or deployment of ransomware.

Intelligence highlights from the broader security community—including recent industry reports—continue to stress that malware and threat actors are increasingly capable of operating under the radar by blending into routine admin and support workflows. In this climate, vendors and enterprises are urged to reexamine access controls around outsourcing partners, tighten multi-factor authentication, and adopt stricter monitoring of ticketing and collaboration platforms that interface with sensitive customer data.

Within this evolving threat landscape, Crunchyroll’s situation serves as a reminder of the fragility of digital customer ecosystems when trust is divided across multiple external partners. As investigations proceed and affected users await further updates, the focus remains on validating the scope of exposure, securing compromised accounts, and reinforcing the safeguards that govern how support-related data is accessed and stored. The broader security conversation continues to evolve as organizations reassess how credentials are managed, how insiders are vetted, and how incident response plans account for cross-company dependencies that are common in today’s outsourcing-driven support models.