Crunchyroll Confirms Data Breach Exposing 6.8 Million Users After Hacker Compromises Telus Outsourcing Partner

Overview

Crunchyroll, the Sony-owned anime streaming service with over 17 million paid subscribers, confirmed on March 24 that it is investigating a data breach involving customer service ticket information after a threat actor claimed to have exfiltrated approximately 100 GB of user data. The breach, which occurred on March 12, was traced to a compromised employee at Telus International, the business process outsourcing firm that handles Crunchyroll’s customer support operations, according to BleepingComputer.

The incident marks the second major breach linked to Telus in March 2026, following the ShinyHunters group’s claimed near-petabyte theft from Telus Digital reported earlier this month.

How the Breach Happened

The threat actor told BleepingComputer that they infected a Telus International support agent’s computer with malware, stealing the agent’s Okta single sign-on credentials. Those credentials provided access to multiple internal systems, including Zendesk, Google Workspace, Jira Service Management, MaestroQA, Mixpanel, and Slack.

Once inside, the attacker downloaded approximately eight million support ticket records from the Zendesk instance before Crunchyroll’s security team revoked access roughly 24 hours after the initial compromise on March 12 at 9 PM ET, as reported by BleepingComputer. The stolen data reportedly spans records dating back to mid-2025.

What Data Was Exposed

The eight million support ticket records contained approximately 6.8 million unique email addresses along with customer names, login credentials, IP addresses, and general geographic locations, according to BleepingComputer. Credit card information appeared in some tickets only where customers had voluntarily shared payment details in support conversations, with most entries containing partial card numbers, though some full card numbers were included.

The threat actor claimed to have demanded $5 million from Crunchyroll to prevent public release of the data, stating that the company did not respond to their communications.

Crunchyroll’s Response

Crunchyroll initially stated that it was “aware of recent claims and currently working closely with leading cybersecurity experts to investigate the matter,” as reported by TechCrunch. The company later clarified that the compromised information appeared to be “primarily limited to customer service ticket data following an incident with a third-party vendor” and confirmed it had “not identified evidence of ongoing access to systems in relation to these claims.”

What We Don’t Know

Several important questions remain unanswered. The full scope of the breach has not been independently verified, and it is unclear whether the threat actor has begun selling or leaking the stolen data. Crunchyroll has not disclosed whether it will notify the 6.8 million affected users individually or offer identity protection services.

The relationship between this incident and the earlier Telus Digital breach by ShinyHunters also remains unclear. Both BleepingComputer and TechCrunch noted that the Crunchyroll breach appears to involve a separate threat actor from the ShinyHunters group, but the back-to-back compromises raise questions about the security posture of Telus’s outsourcing operations.

The Growing Risk of Third-Party Breaches

The Crunchyroll incident illustrates a persistent pattern in modern cybersecurity: attackers targeting outsourcing vendors and business process partners rather than the primary organization. A single compromised credential at a third-party support provider was sufficient to expose millions of customer records. For subscribers, the immediate recommendation is to change passwords, enable two-factor authentication where available, and monitor for phishing attempts that may exploit the stolen data.