Crunchyroll Confirms Data Breach via Third-Party Vendor, Exposing Support Ticket Information
Crunchyroll, the anime streaming platform owned by Sony Pictures Entertainment and Aniplex, has acknowledged a data breach involving customer service ticket records after a threat actor publicly claimed unauthorized access to user data and internal systems. The incident, linked to a third-party vendor handling support tickets, is under investigation to determine its full scope and impact.
With over 15 million subscribers and a library of 2,000+ titles, Crunchyroll’s breach raises concerns about the potential misuse of exposed data, particularly for targeted phishing scams. While the company has not disclosed the number of affected records or specific data fields involved, it confirmed that notifications will comply with legal and contractual obligations.
The hacker, who spoke to BleepingComputer, alleged access to approximately eight million support ticket records, including 6.8 million unique email addresses claims that remain unverified. The attacker reportedly gained entry through a compromised Okta single sign-on (SSO) account belonging to a support agent, a method increasingly used in identity-based breaches. Support ticket systems may contain sensitive details such as names, email addresses, subscription information, IP addresses, and message content, which could be leveraged for fraudulent account recovery or phishing attacks.
This breach follows a pattern of identity and third-party vulnerabilities, with Okta itself experiencing a similar incident in 2023. According to Verizon’s 2023 Data Breach Investigations Report, 74% of breaches involve human factors, often through stolen credentials. IBM’s 2024 Cost of a Data Breach Report estimates the global average breach cost at $4.88 million, underscoring the financial and regulatory risks for multinational platforms like Crunchyroll, which operates under GDPR and state privacy laws.
As the investigation continues, key questions remain, including the final record count, the vendor’s identity, and whether additional sensitive data such as credentials or payment details was exposed. Further disclosures are expected as forensic analysis progresses and regulators engage.
Source: https://www.findarticles.com/crunchyroll-confirms-data-breach-after-hacker-claims/
Crunchyroll cybersecurity rating report: https://www.rankiteo.com/company/crunchyroll
"id": "CRU1774377906",
"linkid": "crunchyroll",
"type": "Breach",
"date": "1/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Potentially 6.8 million unique '
'email addresses (unverified)',
'industry': 'Entertainment (Streaming Services)',
'location': 'Global (owned by Sony Pictures '
'Entertainment and Aniplex)',
'name': 'Crunchyroll',
'size': '15+ million subscribers',
'type': 'Anime streaming platform'}],
'attack_vector': 'Compromised third-party vendor (Okta SSO account)',
'customer_advisories': 'Notifications to be sent in compliance with legal '
'obligations',
'data_breach': {'number_of_records_exposed': 'Approximately 8 million support '
'ticket records (unverified)',
'personally_identifiable_information': 'Yes (names, email '
'addresses, IP '
'addresses)',
'sensitivity_of_data': 'Moderate to high (PII, potential for '
'phishing/fraud)',
'type_of_data_compromised': ['Names',
'Email addresses',
'Subscription information',
'IP addresses',
'Message content']},
'description': 'Crunchyroll, the anime streaming platform owned by Sony '
'Pictures Entertainment and Aniplex, has acknowledged a data '
'breach involving customer service ticket records after a '
'threat actor publicly claimed unauthorized access to user '
'data and internal systems. The incident, linked to a '
'third-party vendor handling support tickets, is under '
'investigation to determine its full scope and impact.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of customer data',
'data_compromised': 'Support ticket records (names, email '
'addresses, subscription information, IP '
'addresses, message content)',
'identity_theft_risk': 'High (exposed PII could be used for '
'phishing or fraud)',
'legal_liabilities': 'Potential regulatory fines under GDPR and '
'state privacy laws',
'operational_impact': 'Investigation ongoing; potential disruption '
'to customer support operations',
'systems_affected': 'Third-party support ticket system, '
'Crunchyroll customer service infrastructure'},
'initial_access_broker': {'entry_point': 'Compromised Okta SSO account of a '
'support agent'},
'investigation_status': 'Ongoing',
'motivation': 'Potential financial gain (phishing, fraud, or data sale)',
'post_incident_analysis': {'root_causes': 'Stolen credentials (human factor), '
'third-party vendor vulnerability'},
'references': [{'source': 'BleepingComputer'},
{'source': 'Verizon 2023 Data Breach Investigations Report'},
{'source': 'IBM 2024 Cost of a Data Breach Report'}],
'regulatory_compliance': {'regulations_violated': ['GDPR',
'State privacy laws '
'(unspecified)'],
'regulatory_notifications': 'Expected as part of '
'investigation'},
'response': {'communication_strategy': 'Public acknowledgment; notifications '
'to comply with legal obligations'},
'title': 'Crunchyroll Data Breach via Third-Party Vendor',
'type': 'Data Breach',
'vulnerability_exploited': 'Stolen credentials (Okta SSO account of a support '
'agent)'}