Sony-owned anime streaming service Crunchyroll has experienced a data breach after hackers infiltrated a third-party vendor to gain access to customer support ticket data. The breach has exposed information tied to around 6.8 million users, prompting an ongoing investigation into the scope of the incident.
According to reporting from BleepingComputer, the company confirmed it is investigating claims that a threat actor accessed and extracted data.
International Cyber Digest reported on X:
“Crunchyroll [was] breached through an outsourcing partner in India. A threat actor exfiltrated data from Crunchyroll’s ticketing system and also managed to pull 100GB of personally identifiable customer analytics data.”
The sample data included IP addresses, email addresses, location, and support ticket contents.
“An employee of their outsourcing partner Telus had executed malware on his system, which gave a threat actor access to Crunchyroll’s environment,” the post stated.
“We analyzed sample JSON files exported from their Zendesk. And found customer support conversations, user profiles, and significant PII found across structured fields and free-text bodies,” International Cyber Digest added in another post.
Third-Party Compromise Exposes CX Weak Point
The breach appears to have originated from a compromised account belonging to a customer support agent employed by an outsourcing provider, reportedly Telus International.
The attackers contacted BleepingComputer claiming to have breached Crunchyroll on March 12th at 9PM EST, after gaining access to the Okta single sign-on (SSO) account of one of the company’s support agents.
Once inside, the attackers reportedly accessed multiple internal systems, including support and collaboration tools, and downloaded roughly 8 million support ticket records related to around 6.8 million unique email addresses.
While some reports suggested exposure of payment data, analysis indicates that financial details appeared only in cases where users manually entered them into support tickets—and were typically partial (such as last four digits).
Crunchyroll told BleepingComputer:
“We have not identified evidence of ongoing access to systems in relation to these claims.”
Screenshots shared with BleepingComputer indicate that the attackers gained access to various Crunchyroll applications, including Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jiro Service Management, and Slack. BleepingComputer confirmed that credit card details, such as the expiry date and last four digits, that were shared in the support tickets were exposed.
The exported Zendesk data adds another layer to the issue: blending structured data with unstructured customer conversations.
Support ticket systems are often seen as operational tools, but they can hold large amounts of sensitive information that go well beyond basic profile details. They include free-text exchanges where customers may voluntarily share sensitive information. The International Cyber Digest post indicates that both types of data were contained in the exposed dataset, increasing the potential impact of the incident.
The attackers claimed they had access for roughly 24 hours, during which time they exfiltrated data up to mid-2025 was exfiltrated. They also reportedly issued a $5 million extortion demand to prevent public release of the data.
The incident indicates how quickly a single compromised identity within a vendor ecosystem can cascade into a large-scale customer data exposure event. The conversational layer of customer interactions, often rich in context and sensitive disclosures, represents an expanding and less controlled data surface.
BPOs Become High-Value Targets for Threat Actors
The incident highlights the growing risk of attacks on business process outsourcing (BPO) providers because of their privileged access to multiple enterprise systems.
Attackers increasingly target support personnel through credential theft, malware, and social engineering, enabling them to move into core enterprise platforms and customer datasets.
This indicates a structural challenge as outsourced customer operations often sit outside traditional security perimeters while maintaining deep access to customer data and internal tools.
The breach comes alongside ongoing legal scrutiny of Crunchyroll’s data practices. A recent lawsuit alleges the company shared user viewing data and identifiers with third-party marketing technology without adequate consent.
The convergence of a potential breach and privacy litigation reflects the tension between the expanding use of customer data to power personalization alongside rising expectations for transparency and control.
Crunchyroll’s response has emphasized investigation and containment, noting no evidence of continued unauthorized access.
But the rapid amplification of the incident through social media and cybersecurity channels indicates how quickly customer perception can be shaped outside official communications.
