Crunchyroll, the popular anime streaming platform, has acknowledged a data breach involving customer support ticket information linked to a third-party vendor. This revelation follows claims from a hacker asserting unauthorized access to user data and internal systems.
Owned by Sony Pictures Entertainment and Japan's Aniplex, Crunchyroll boasts over 2,000 titles available in more than 12 languages, catering to a global audience of 15 million subscribers as reported on its official site.
Recently, reports emerged of a threat actor who claimed to have accessed sensitive data concerning millions of Crunchyroll users. In response, the company has launched an investigation into these allegations.
In an official statement, Crunchyroll emphasized, "Our investigation is ongoing, and we continue to work with leading cybersecurity experts," while also noting that no evidence of ongoing unauthorized access has been found so far.
Insights shared by the cybersecurity-focused account International Cyber Digest suggest that the hacker may have infiltrated Crunchyroll's Zendesk support system. Screenshots purportedly show internal communications and stolen support data, allegedly obtained by compromising an employee at Telus Digital, the outsourcing firm responsible for Crunchyroll's customer support. The hacker claimed to have accessed customer support ticket data until early 2025, when their access was reportedly terminated.
It is important to note that this incident appears to be distinct from a recent breach involving Telus Digital, which the company confirmed last week.
Crunchyroll has not clarified whether the third-party vendor implicated in the breach is indeed its support partner, Telus Digital, who also did not respond to inquiries for comments.
The hacker informed BleepingComputer that they had downloaded approximately eight million support ticket records from Crunchyroll, which included around 6.8 million unique email addresses. However, these claims remain unverified. The hacker indicated that access was gained on March 12 through a compromised Okta single sign-on account belonging to a Crunchyroll support agent.
This incident highlights the ongoing challenges in cybersecurity, particularly for organizations relying on third-party services. As the investigation unfolds, it underscores the importance of robust security measures to protect user data in an increasingly interconnected digital landscape.
