Crunchyroll Investigates Alleged Data Breach Impacting 6.8 Million Users
Earlier this week, reports emerged that threat actors had stolen data belonging to approximately 6.8 million Crunchyroll users nearly half of the company’s 15 million global user base. The claims surfaced after a hacker contacted BleepingComputer last week, prompting Crunchyroll to launch an investigation into the alleged breach.
In a statement, Crunchyroll confirmed it was working with cybersecurity experts to assess the incident. The company later clarified that the exposed data primarily involved customer service ticket information linked to a third-party vendor. While no evidence of ongoing unauthorized access was found, the investigation remains active.
According to the threat actors, the breach occurred after they compromised the Okta single sign-on (SSO) account of a Crunchyroll support agent employed by Telus International, a business process outsourcing firm with access to Crunchyroll’s support tickets. The attackers claimed to have deployed malware on the agent’s device, stealing credentials that granted access to multiple platforms, including Google Workspace Mail, Jiro Service Management, Slack, Mixpanel, MaestroQA, Wizer, and Zendesk.
Using Zendesk access, the hackers reportedly downloaded 8 million support tickets, which contained 6.8 million unique email addresses, along with usernames, login names, geographic locations, IP addresses, and ticket contents. While some reports suggested credit card exposure, the leaked financial data was limited primarily partial card details (expiration dates and last four digits), with only a small number of full card numbers included. All affected tickets were linked to Telus, supporting the attackers’ claims.
The threat actors stated their access was revoked after 24 hours, meaning the stolen data is current up to mid-2025. They also claimed to have sent a $5 million extortion demand to Crunchyroll, though the company has not responded. The breach appears unrelated to a recent alleged attack on Telus Digital by the hacking group ShinyHunters, and the identity of the Crunchyroll attackers remains unknown.
Crunchyroll cybersecurity rating report: https://www.rankiteo.com/company/crunchyroll
TELUS Digital cybersecurity rating report: https://www.rankiteo.com/company/telus-digital
"id": "CRUTEL1774405474",
"linkid": "crunchyroll, telus-digital",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '6.8 million',
'industry': 'Entertainment (Anime Streaming)',
'location': 'Global',
'name': 'Crunchyroll',
'size': '15 million global users',
'type': 'Company'},
{'industry': 'Customer Support Services',
'name': 'Telus International',
'type': 'Business Process Outsourcing Firm'}],
'attack_vector': 'Compromised Okta SSO account via malware on a support '
"agent's device",
'customer_advisories': 'Public statement confirming investigation',
'data_breach': {'data_exfiltration': 'Yes (downloaded via Zendesk)',
'number_of_records_exposed': '8 million support tickets (6.8 '
'million unique email addresses)',
'personally_identifiable_information': 'Yes (email addresses, '
'usernames, geographic '
'locations, IP '
'addresses)',
'sensitivity_of_data': 'High (PII and partial financial data)',
'type_of_data_compromised': ['Email addresses',
'Usernames',
'Login names',
'Geographic locations',
'IP addresses',
'Ticket contents',
'Partial credit card details',
'Full credit card numbers (small '
'number)']},
'description': 'Reports emerged that threat actors had stolen data belonging '
'to approximately 6.8 million Crunchyroll users. The breach '
'occurred after compromising the Okta single sign-on (SSO) '
'account of a Crunchyroll support agent employed by Telus '
'International. The attackers accessed multiple platforms, '
'including Zendesk, and downloaded 8 million support tickets '
'containing personal and partial financial data.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data exposure',
'data_compromised': '6.8 million unique email addresses, '
'usernames, login names, geographic locations, '
'IP addresses, ticket contents, partial credit '
'card details (expiration dates and last four '
'digits), and a small number of full card '
'numbers',
'identity_theft_risk': 'High (exposure of PII and partial '
'financial data)',
'operational_impact': 'Unauthorized access to support ticket '
'systems and third-party platforms',
'payment_information_risk': 'Moderate (partial credit card details '
'exposed)',
'systems_affected': ['Google Workspace Mail',
'Jiro Service Management',
'Slack',
'Mixpanel',
'MaestroQA',
'Wizer',
'Zendesk']},
'initial_access_broker': {'entry_point': 'Okta SSO account of a Crunchyroll '
'support agent (Telus '
'International)'},
'investigation_status': 'Active',
'motivation': 'Extortion (ransom demand of $5 million)',
'post_incident_analysis': {'root_causes': 'Compromised third-party vendor '
'(Telus International) employee '
'device via malware'},
'ransomware': {'data_exfiltration': 'Yes', 'ransom_demanded': '$5 million'},
'references': [{'source': 'BleepingComputer'}],
'response': {'communication_strategy': 'Public statement confirming '
'investigation',
'containment_measures': 'Access revoked after 24 hours',
'incident_response_plan_activated': 'Yes (investigation launched '
'with cybersecurity experts)',
'third_party_assistance': 'Yes (cybersecurity experts)'},
'title': 'Crunchyroll Investigates Alleged Data Breach Impacting 6.8 Million '
'Users',
'type': 'Data Breach',
'vulnerability_exploited': 'Malware deployment on third-party vendor employee '
'device'}