Following an incident with a third-party vendor, the anime streaming service Crunchyroll has revealed a data breach involving customer care ticket information after a hacker claimed to have accessed user data and internal systems.
After a threat actor claimed to have stolen the personal data of almost 6.8 million users, Crunchyroll opened an investigation into a possible data breach. As of today, Crunchyroll has recognised the claims and given numerous important updates, even if they have not yet “confirmed” a widespread breach of its fundamental systems.
The streaming service is a joint venture between Japan-based Aniplex and the United States-based Sony Pictures Entertainment. Sony purchased it from AT&T in 2020 for $1.18 billion. According to its website, Crunchyroll boasts 15 million subscribers globally and more than 2,000 titles in more than 12 languages.
This week, reports of a threat actor claiming to have access to Crunchyroll user data appeared online. The hacker claimed to have acquired information on millions of subscribers. As it claims that it is looking into the allegations as it investigates them.
In a statement to the members of the press, the business stated, “Our investigation is ongoing, and we continue to work with leading cybersecurity experts,” adding that it has not found any indication of continuous unauthorized access.
Additionally, documents provided to the member of the press by International Cyber Digest, a cybersecurity-focused account, suggest that the attacker might have accessed Crunchyroll’s Zendesk support system. According to screenshots we’ve seen, the firm’s internal Slack messages and stolen support data were obtained by hacking a worker at Telus Digital, the massive outsourcing company that manages Crunchyroll’s customer service. Customer support ticket data was purportedly stolen by the hacker until early 2025, when their access was terminated.
The intrusion, according to the cybersecurity account, was unrelated to a recent Telus Digital incident that the company acknowledged last week.
A follow-up inquiry regarding the third-party vendor’s connection to Crunchyroll’s support partner, Telus Digital, was not answered. Additionally, requests for comments were not answered by Telus Digital.
Although the claims have not been independently verified, the hacker told the press that they had obtained over eight million support ticket records from Crunchyroll’s computers, including about 6.8 million unique email addresses. Additionally, the hacker informed the outlet that they were able to obtain access on March 12 after breaking into a Crunchyroll support agent’s Okta single sign-on account.
The breach appears limited to customer service ticket data handled by third-party vendors, originating through BPO partner Telus Digital via malware on an employee workstation. A hacker claims to have stolen 100 GB of data, including names, emails, and user IDs. Crunchyroll reports no evidence of continued access and is monitoring with cybersecurity experts.
