Crunchyroll is investigating a potential data breach after hackers claimed to have accessed and stolen personal information of nearly 6.8 million users, raising concerns over data security on the popular anime streaming platform. The development, reported on March , 2026, has prompted the company to launch an internal probe while working closely with cybersecurity experts to assess the scale and impact of the incident.
The alleged breach came to light after a threat actor contacted cybersecurity publication BleepingComputer, claiming they gained unauthorized access to Crunchyroll’s systems on March 12 at 9 p.m. ET. According to the claims, the attackers exploited credentials linked to an Okta single sign-on account belonging to a customer support agent, allowing them to infiltrate internal tools and systems.
Reports indicate that the compromised account belonged to an employee of Telus International, a third-party outsourcing partner that manages customer support operations for Crunchyroll. The attackers allegedly used malware to gain access to the employee’s credentials, which then enabled entry into multiple internal platforms including Zendesk, Google Workspace Mail, Slack, and Jira Service Management. This highlights the growing risks associated with third-party vendor access in large digital ecosystems.
The hackers claim to have extracted around 8 million support ticket records from Crunchyroll’s Zendesk system, with approximately 6.8 million unique email addresses included in the dataset. The exposed information may also contain usernames, login details, IP addresses, geographic data, and customer service interactions. While some reports suggested the presence of financial information, it appears that credit card details were only included in cases where users had voluntarily shared them in support tickets.
Crunchyroll has stated that, based on its initial assessment, the data exposure appears to be limited primarily to customer service ticket information linked to a third-party vendor incident. The company also noted that there is currently no evidence of ongoing unauthorized access to its systems, and it continues to monitor the situation while the investigation remains ongoing.
Further reports suggest that the attackers’ access was revoked within 24 hours, but not before a significant amount of data may have been extracted. In addition, the threat actor allegedly attempted to extort the company by demanding $5 million in exchange for not releasing the stolen data publicly, though no response from Crunchyroll has been confirmed.
The incident underscores the increasing vulnerability of digital platforms to cyberattacks, particularly through third-party service providers. As companies continue to rely on outsourcing and interconnected systems, such breaches highlight the need for stronger cybersecurity frameworks, tighter access controls, and continuous monitoring to protect sensitive user information in an evolving threat landscape.
