Data Breaches Bearish 7

Crunchyroll Investigates Breach of 6.8 Million Users via Third-Party Support

· 3 min read ·
Share

Key Takeaways

  • Sony-owned streaming giant Crunchyroll is investigating a significant data breach after hackers allegedly stole 8 million support tickets containing personal data for 6.8 million unique users.
  • The breach originated from a compromised third-party support agent at Telus International, highlighting ongoing vulnerabilities in the global supply chain.

Mentioned

Crunchyroll company Sony Group Corporation company SONY Telus International company TIXT Okta company OKTA Zendesk product BleepingComputer company

Key Intelligence

Key Facts

  1. 1Approximately 6.8 million unique user email addresses were allegedly stolen.
  2. 2The breach originated from a malware infection on a Telus International support agent's computer.
  3. 3Attackers gained access to Okta SSO credentials, allowing entry into Zendesk, Slack, and Jira.
  4. 4A total of 8 million support tickets were exfiltrated during a 24-hour window on March 12, 2026.
  5. 5The threat actors demanded a $5 million ransom from Crunchyroll to suppress the data.
  6. 6Stolen data includes names, usernames, IP addresses, and geographic locations.

Who's Affected

Crunchyroll Users
personNegative
Telus International
companyNegative
Sony Group Corp
companyNeutral

Analysis

The reported breach of Crunchyroll represents a textbook example of the modern 'identity-centric' supply chain attack. By compromising a single endpoint belonging to a support agent at Telus International—a major Business Process Outsourcing (BPO) provider—threat actors were able to bypass traditional perimeter defenses and gain access to a suite of sensitive internal tools. This incident underscores a critical reality for global enterprises: security is only as strong as the least-protected device in a partner's network. The attackers utilized malware to harvest Okta Single Sign-On (SSO) credentials, which then granted them a 'skeleton key' to Crunchyroll’s integrated SaaS ecosystem, including Zendesk, Slack, Jira Service Management, and Google Workspace.

While the breach lasted only 24 hours before access was revoked on March 13, the volume of data exfiltrated is substantial. The hackers claim to have downloaded 8 million support ticket records, which BleepingComputer verified contained names, usernames, email addresses, IP addresses, and geographic locations. Perhaps most concerning is the exposure of the support tickets themselves. While Crunchyroll does not store full credit card details in these systems, users often inadvertently include sensitive information—such as the last four digits of a card or billing addresses—when describing subscription issues. For a platform with over 17 million paid subscribers as of early 2025, a breach affecting nearly 7 million unique emails suggests that a massive portion of its active user base is now at heightened risk of targeted phishing and social engineering attacks.

The attackers utilized malware to harvest Okta Single Sign-On (SSO) credentials, which then granted them a 'skeleton key' to Crunchyroll’s integrated SaaS ecosystem, including Zendesk, Slack, Jira Service Management, and Google Workspace.

This incident follows a troubling trend of BPO-related compromises. Companies like Telus International handle customer service for dozens of Fortune 500 firms, making them high-value targets for 'hub-and-spoke' attacks. By hitting one BPO, a threat actor can potentially pivot into multiple client environments. The use of Okta as the primary target for credential theft mirrors previous high-profile incidents involving MGM Resorts and Caesars Entertainment, where social engineering or malware targeting support desks led to catastrophic system-wide access. For Crunchyroll’s parent company, Sony Group Corporation, this adds another entry to a long history of high-profile cyber incidents, though this specific event appears limited to the streaming subsidiary's support infrastructure rather than its core media delivery systems.

What to Watch

The financial implications are already surfacing, with the attackers reportedly demanding a $5 million ransom to prevent the public release of the data. Crunchyroll’s decision not to respond to the initial demand aligns with current FBI and cybersecurity best practices, but it leaves the 6.8 million affected users in a state of uncertainty. As the investigation continues with 'leading cybersecurity experts,' the focus will likely shift to why the BPO’s endpoint security failed to detect the initial malware infection and whether conditional access policies—such as IP whitelisting or hardware-based MFA—could have prevented the Okta credentials from being used from an unauthorized device.

Moving forward, the industry should expect increased scrutiny of BPO security standards. Organizations can no longer rely on contractual 'right to audit' clauses alone; they must move toward zero-trust architectures that limit the blast radius of a compromised third-party credential. For Crunchyroll users, the immediate advice remains consistent: change passwords, enable multi-factor authentication directly on the platform, and remain hyper-vigilant regarding any emails claiming to be from Crunchyroll support, as the stolen ticket history provides attackers with the perfect script for convincing follow-up scams.

Timeline

Timeline

  1. Initial Breach

  2. Access Revoked

  3. Extortion Attempt

  4. Public Investigation

Cite This Page

"Crunchyroll Investigates Breach of 6.8 Million Users via Third-Party Support." Cyber Intelligence Brief, March 24, 2026. https://getcyberbrief.com/story/crunchyroll-data-breach-telus-international-okta

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.