Crunchyroll Investigates Alleged Breach After Hacker Claims Theft of 6.8 Million User Records
Anime streaming platform Crunchyroll is investigating a potential data breach after a threat actor claimed to have stolen personal information tied to roughly 6.8 million users, raising fresh concerns about third-party access risks inside large digital customer support environments.
Crunchyroll told BleepingComputer it is aware of the claims and is working with cybersecurity experts to investigate the matter. Reuters separately reported the company is probing the alleged incident following the publication’s report.
According to BleepingComputer, the alleged attacker said they gained access to Crunchyroll systems on March 12, 2026, at 9 p.m. ET by abusing credentials linked to an Okta single sign-on account belonging to a customer support agent. The account is said to have belonged to an employee of Telus International, a third-party outsourcing partner involved in Crunchyroll’s support operations.
The reported intrusion is notable because it appears to follow a now-familiar enterprise breach pattern: attackers do not need to break the front door if they can compromise a trusted partner, hijack a support identity, and move laterally through internal business tools that were never meant to be exposed to hostile actors. That makes the incident as much a third-party access story as a user-data exposure story.
The attacker allegedly used malware to obtain the support worker’s credentials and then accessed multiple internal platforms, including Zendesk, Google Workspace Mail, Slack, and Jira Service Management. Screenshots shared with BleepingComputer reportedly showed access to some of those systems, although Crunchyroll has not publicly confirmed the full scope of the claims.
The threat actor further claimed to have extracted around 8 million support ticket records from Crunchyroll’s Zendesk environment, including approximately 6.8 million unique email addresses. Reported exposed data may include usernames, email addresses, login details, IP addresses, geographic information, customer analytics, and customer support interactions. Some reports also said credit card details may have appeared in limited cases where users voluntarily included them in support submissions, though that has not been broadly confirmed by Crunchyroll.
Crunchyroll has reportedly said its initial assessment suggests the exposure is primarily tied to customer service ticket information linked to the third-party vendor incident, and that there is currently no evidence of ongoing unauthorized access to its systems. At the same time, the company continues to investigate, which means the final scope may still change as forensic work progresses.
According to the reporting, the attacker’s access may have been revoked within about 24 hours, but not before a significant amount of data was allegedly exfiltrated. BleepingComputer’s report also said the threat actor attempted to extort the company by demanding $5 million in exchange for not releasing the stolen information publicly. Reuters’ follow-up coverage echoed the existence of the investigation but did not add independent confirmation of the extortion demand.
Even if payment card data was not widely exposed, the reported data set would still be highly valuable to attackers. Support tickets often contain identity details, account troubleshooting context, location indicators, and snippets of sensitive user-provided information. That makes such records useful for phishing, credential-stuffing refinement, account takeover attempts, and highly personalized social engineering.
The alleged incident also highlights the quiet importance of customer support ecosystems in modern breach risk. Security programs often focus heavily on production systems, developer pipelines, and cloud infrastructure, but tools like Zendesk, Slack, and IT service management platforms can hold equally damaging information when they are tied together through single sign-on and partner access. A compromise in that layer can quickly become a large-scale privacy event.
For now, the case remains an active investigation rather than a fully confirmed breach with finalized scope. But the scale of the claims, the apparent partner-access angle, and the sensitivity of support ticket data make it one of the more notable alleged third-party compromise stories to surface this month.
Reference Links and Sources
