Well-liked anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen private data for about 6.8 million individuals.
“We’re conscious of latest claims and are at the moment working carefully with main cyber security specialists to research the matter,” Crunchyroll advised BleepingComputer.
This assertion comes after a menace actor contacted BleepingComputer final Thursday and claimed they breached Crunchyroll on March twelfth at 9 PM EST, after getting access to the Okta SSO account of a help agent working for Crunchyroll.
This help agent is allegedly an worker of the Telus Worldwide enterprise course of outsourcing (BPO) firm, who has entry to Crunchyroll help tickets. The menace actors claimed to have used malware to contaminate the agent’s laptop and achieve entry to their credentials.
From screenshots shared with BleepingComputer, these credentials gave entry to numerous Crunchyroll functions, together with Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jiro Service Administration, and Slack.
Utilizing this entry, the attackers say they downloaded 8 million help ticket information from Crunchyroll’s Zendesk occasion. Of those information, there are allegedly 6.8 million distinctive e mail addresses.
Samples of the help tickets seen by BleepingComputer after which deleted comprise all kinds of data, together with the Crunchyroll consumer’s identify, login identify, e mail deal with, IP deal with, common geographic location, and the contents of the help tickets.
Whereas different stories on the incident declare that bank card data was uncovered, BleepingComputer has confirmed that bank card particulars have been uncovered solely when the shopper shared them within the help ticket.
For probably the most half, this included solely fundamental data, such because the final 4 digits or expiration dates, and just a few contained full card numbers, in accordance with the menace actor.
The help tickets seen by BleepingComputer all reference Telus, supporting the menace actor’s declare that they compromised a BPO worker.
The attacker says their entry was revoked after 24 hours, letting them steal information as much as mid-2025.
The hacker claims to have despatched extortion emails to Crunchyroll, demanding $5 million in change for not publicly leaking the information, however didn’t obtain a response from the corporate.
Whereas this assault focused a Telus worker, BleepingComputer was advised it was not associated to the large breach at Telus Digital by the ShinyHunters extortion gang.
BPOs are a high-value goal
Enterprise course of outsourcing firms have turn into high-value targets for menace actors over the previous few years, as they typically deal with buyer help, billing, and inside authentication programs for a number of firms.
Because of this, menace actors can compromise a single BPO worker and achieve entry to giant quantities of buyer and company information throughout a number of firms.
Prior to now yr, menace actors have exploited BPOs by bribing insiders with respectable entry, social engineering help workers into granting unauthorized entry, and compromising BPO worker accounts to succeed in inside programs.
In probably the most outstanding circumstances, attackers posed as an worker and satisfied a Cognizant assist desk help agent to grant them entry to a Clorox worker account, permitting them to breach the corporate’s community.
Main retailers additionally confirmed that social engineering assaults in opposition to help personnel enabled ransomware and information theft assaults.
Marks & Spencer confirmed that attackers used social engineering to breach its networks, whereas Co-op disclosed information theft following a ransomware assault that equally abused help workers’s entry.
In response to the assaults on M&S and Co-op retail firms, the U.Ok. authorities issued steering on social engineering assaults in opposition to assist desks and BPOs.
In some circumstances, hackers goal the BPO worker accounts themselves to achieve entry to the shopper information they handle.
In October, Discord disclosed a data breach that allegedly uncovered information from 5.5 million distinctive customers after its Zendesk help system occasion was compromised.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your security stack is blinded.
