For millions of anime fans, Crunchyroll is simply where you go to stream the latest episodes. But behind the scenes, the platform is now investigating a security scare after hackers claimed they stole data tied to about 6.8 million users.
The company confirmed it is looking into the incident. In a statement shared with BleepingComputer, Crunchyroll said it is working with cybersecurity experts and believes the exposed information mainly involves customer support ticket data linked to a third-party vendor.
“Our investigation is ongoing,” the company said, adding that it has not found evidence of ongoing access to its systems.
The story, however, highlights a familiar weak spot in modern tech infrastructure: vendors and outsourced support teams. According to the attacker who contacted BleepingComputer, the breach began on March 12 after they gained access to an Okta single sign-on account belonging to a support agent working through Telus International, a business process outsourcing company.
With those credentials, the attacker claims they accessed internal tools such as Zendesk, Slack, and Google Workspace.
The most valuable data reportedly came from Zendesk, where the attacker says they downloaded around 8 million support ticket records, including 6.8 million unique email addresses.
Support tickets can contain more personal information than people realise. According to samples seen by BleepingComputer, the records included usernames, email addresses, IP addresses, approximate locations, and the contents of customer support conversations.
Payment data does not appear to be widely exposed. Still, some users had included card details directly in support requests, meaning fragments such as card digits or expiration dates were sometimes visible in the dataset.
The attacker claims their access lasted around 24 hours before it was revoked. During that time, they allegedly sent a $5 million extortion demand threatening to release the data publicly.
How to stay safe
If you have a Crunchyroll account, there are a few simple steps worth taking. Start by changing your account password, especially if you reuse that password elsewhere. Enabling two-factor authentication adds another layer of protection if your credentials are ever exposed.
It is also wise to watch out for suspicious emails claiming to be from Crunchyroll. Messages asking you to reset passwords, confirm billing information, or click urgent links should be treated cautiously.
Finally, avoid sharing sensitive information, like full credit card numbers or personal identification details, inside support tickets whenever possible. Those conversations sometimes travel through multiple systems and vendors before they reach a resolution.
Louis Eriakha
