Common anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen private info for roughly 6.8 million individuals.
“We’re conscious of latest claims and are at the moment working intently with main cyber safety specialists to analyze the matter,” Crunchyroll advised BleepingComputer.
This assertion comes after a risk actor contacted BleepingComputer final Thursday and claimed they breached Crunchyroll on March twelfth at 9 PM EST, after getting access to the Okta SSO account of a help agent working for Crunchyroll.
This help agent is allegedly an worker of the Telus Worldwide enterprise course of outsourcing (BPO) firm, who has entry to Crunchyroll help tickets. The risk actors claimed to have used malware to contaminate the agent’s pc and achieve entry to their credentials.
From screenshots shared with BleepingComputer, these credentials gave entry to numerous Crunchyroll functions, together with Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jiro Service Administration, and Slack.
Utilizing this entry, the attackers say they downloaded 8 million help ticket information from Crunchyroll’s Zendesk occasion. Of those information, there are allegedly 6.8 million distinctive e-mail addresses.
Samples of the help tickets seen by BleepingComputer after which deleted include all kinds of data, together with the Crunchyroll person’s identify, login identify, e-mail handle, IP handle, normal geographic location, and the contents of the help tickets.
Whereas different experiences on the incident declare that bank card info was uncovered, BleepingComputer has confirmed that bank card particulars had been uncovered solely when the client shared them within the help ticket.
For essentially the most half, this included solely primary info, such because the final 4 digits or expiration dates, and just a few contained full card numbers, in response to the risk actor.
The help tickets seen by BleepingComputer all reference Telus, supporting the risk actor’s declare that they compromised a BPO worker.
The attacker says their entry was revoked after 24 hours, letting them steal knowledge as much as mid-2025.
The hacker claims to have despatched extortion emails to Crunchyroll, demanding $5 million in alternate for not publicly leaking the info, however didn’t obtain a response from the corporate.
Whereas this assault focused a Telus worker, BleepingComputer was advised it was not associated to the huge breach at Telus Digital by the ShinyHunters extortion gang.
BPOs are a high-value goal
Enterprise course of outsourcing corporations have develop into high-value targets for risk actors over the previous few years, as they typically deal with buyer help, billing, and inner authentication methods for a number of corporations.
In consequence, risk actors can compromise a single BPO worker and achieve entry to giant quantities of buyer and company knowledge throughout a number of corporations.
Up to now yr, risk actors have exploited BPOs by bribing insiders with professional entry, social engineering help workers into granting unauthorized entry, and compromising BPO worker accounts to achieve inner methods.
In one of the crucial distinguished circumstances, attackers posed as an worker and satisfied a Cognizant assist desk help agent to grant them entry to a Clorox worker account, permitting them to breach the corporate’s community.
Main retailers additionally confirmed that social engineering assaults towards help personnel enabled ransomware and knowledge theft assaults.
Marks & Spencer confirmed that attackers used social engineering to breach its networks, whereas Co-op disclosed knowledge theft following a ransomware assault that equally abused help workers’s entry.
In response to the assaults on M&S and Co-op retail corporations, the U.Ok. authorities issued steering on social engineering assaults towards assist desks and BPOs.
In some circumstances, hackers goal the BPO worker accounts themselves to achieve entry to the client knowledge they handle.
In October, Discord disclosed an information breach that allegedly uncovered knowledge from 5.5 million distinctive customers after its Zendesk help system occasion was compromised.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
