A major data breach at anime streaming platform Crunchyroll has potentially compromised the personal information of approximately 6.8 million users. The incident appears to stem from a vulnerability exploited at Telus International, a third-party customer support provider contracted by Crunchyroll. Hackers claim to have extracted sensitive data including full names, usernames, email addresses, IP addresses, geographic locations, and details from support tickets.
How the Breach Occurred
The hacker accessed Crunchyroll systems by compromising a Telus International customer support agent’s computer using malware. This allowed them to steal Okta login credentials, granting access to multiple Crunchyroll accounts linked to third-party services such as Zendesk, Google Workspace, Slack, and others. Within a 24-hour window, the hacker downloaded 8 million support ticket records containing the compromised user data.
Notably, while credit card numbers were not directly stolen, users who included partial card details (last four digits or expiration dates) in support interactions may have had this information exposed. The hacker initially demanded a $5 million ransom from Crunchyroll but reported no response from the company.
What Was Stolen?
The leaked data includes:
- Full names
- Usernames
- Email addresses
- IP addresses
- General geographic locations
- Contents of support tickets (potentially including sensitive information)
The hacker provided proof of the breach to cybersecurity outlet Bleeping Computer, sharing screenshots and a sample of the stolen data. The International Cyber Digest account on X also confirmed receiving similar evidence, estimating the total stolen data at 100GB.
Connection to Telus International
Telus International itself confirmed a separate breach on the same day, allegedly conducted by the notorious hacker group ShinyHunters. However, the Crunchyroll incident is believed to be unrelated to this attack. This highlights the inherent risks of outsourcing customer support and the potential for cascading breaches across multiple companies.
Crunchyroll’s Response (or Lack Thereof)
As of today, Crunchyroll has not issued a public statement or notification to users about the potential breach. This lack of transparency raises concerns about data security practices and incident response protocols. The company stated only that they are “aware of recent claims” and are “working closely with leading cyber security experts to investigate the matter.”
This incident underscores the growing threat to user data in the entertainment industry, where customer support systems often become weak links in security chains. It also highlights the need for stricter third-party vendor risk management practices.
