Crunchyroll confirms data breach after hacker claimed unauthorized access

Anime streaming service Crunchyroll has confirmed a data breach involving customer service ticket information following an incident with a third-party vendor, after a hacker claimed to have accessed user data and internal systems.

The streaming site, which Sony acquired from AT&T in 2020 for $1.18 billion, operates as a joint venture between US-based Sony Pictures Entertainment and Japan-based Aniplex. Crunchyroll has more than 2,000 titles in more than a dozen languages ​​and serves 15 million subscribers worldwide, according to its website.

Reports of a threat actor claiming access to Crunchyroll user data surfaced online this week, with a hacker claiming to have obtained data on millions of users.

Crunchyroll said it is investigating the allegations.

“Our investigation is ongoing, and we continue to work with leading cybersecurity experts,” the company said in a statement to TechCrunch, adding that it had not identified evidence of ongoing unauthorized access.

Separately, material shared with TechCrunch by a cybersecurity-focused account, International Cyber ​​Digest, suggests that the attacker may have gained access to Crunchyroll’s Zendesk support system. The screenshots we’ve seen appear to show the company’s internal Slack messages and stolen support data, which appears to have been stolen via a hack of an employee at Telus Digital, the outsourcing giant that handles customer support for Crunchyroll. The hacker allegedly stole customer support ticket data until early 2025, at which point their access was revoked.

The cybersecurity account said the breach is separate from the recent hack affecting Telus Digital, which the company confirmed last week.

Crunchyroll did not respond to a follow-up question about whether the third-party vendor was associated with support partner Telus Digital.

Telus Digital did not respond to requests for comment.

The hacker told BleepingComputer that they downloaded about eight million support ticket records from Crunchyroll’s systems, including nearly 6.8 million unique email addresses, though the claims have not been independently verified. The hacker also told the publication that they gained access on March 12 after a Crunchyroll support agent’s Okta single sign-on account was compromised.