Sony-owned anime streaming service Crunchyroll has confirmed a data breach that exposed personal information tied to roughly 6.8 million users. The attack vector wasn’t some sophisticated exploit — it was a single compromised login belonging to a third-party outsourcing employee.
On March 12, 2026, an attacker infected a device belonging to a support agent at Telus International, a business process outsourcing (BPO) provider that handles Crunchyroll’s customer support operations. That malware captured the agent’s Okta single sign-on credentials, giving the hacker direct access to Crunchyroll’s internal systems — Zendesk, Slack, Google Workspace, Jira, and customer analytics tools.
Within 24 hours, the attacker had downloaded approximately 100GB of data, including around 8 million support ticket records.
What Was Exposed
The stolen data is a detailed picture of Crunchyroll’s user base. Compromised support ticket records contained:
- Email addresses (approximately 6.8 million unique addresses)
- Full names and usernames
- IP addresses
- Geographic location data
- Complete support ticket conversations
Partial credit card details — last four digits and expiry dates — were also exposed in cases where users had shared payment information directly in support tickets. Have I Been Pwned added the dataset on April 4, 2026, confirming 1.2 million email addresses from the breach.
The Third-Party Problem
The attacker didn’t breach Crunchyroll directly. They breached an employee of a company that Crunchyroll hired to answer customer emails. That outsourcing employee had Okta SSO access — a single login that opened the door to multiple internal systems simultaneously.
This is the supply chain risk that privacy advocates have been warning about for years. When you sign up for a service, you’re not just trusting that company. You’re trusting every contractor, outsourcing partner, and vendor they work with. Crunchyroll has 17 million paying subscribers and 120 million registered users. Those users had no way to know that their support interactions were being handled by Telus International, or that a Telus employee’s device could become the entry point for a massive data extraction.
BPO providers are high-value targets precisely because of this access. They sit at the intersection of multiple enterprise systems, often with privileged credentials, while operating outside the direct security oversight of the companies they serve. One infected laptop at an outsourcing firm in India compromised data that Sony’s cybersecurity team was supposed to protect.
The Extortion Attempt
After extracting the data, the hacker contacted Crunchyroll demanding $5 million to prevent public release. Crunchyroll did not respond to the demand. The attacker then reached out to media outlets including BleepingComputer and International Cyber Digest, providing evidence of the breach — screenshots showing access to Slack channels, Zendesk dashboards, and internal analytics.
Crunchyroll’s official statement was carefully worded: “We have not identified evidence of ongoing access to systems in relation to these claims.” The company says it contained the intrusion within 24 hours.
Support Tickets Are a Privacy Goldmine
What makes this breach particularly concerning is the nature of the stolen data. Support tickets aren’t just metadata — they contain unstructured conversations where users routinely share personal details. People describe their problems in their own words, often including account details, payment issues, device information, and location context that wouldn’t appear in a standard database.
Support ticket systems are often treated as operational tools rather than sensitive data stores. They typically lack the encryption, access restrictions, and monitoring applied to production databases holding user credentials or payment information. Yet they can contain equally revealing personal data.
Why This Matters
Every major platform outsources some of its operations. Customer support, content moderation, data processing — these functions are routinely handed off to third-party firms that operate in different countries, under different security standards, with employees who have deep access to the platform’s internal systems.
Users never get a say in these arrangements. You don’t get to opt out of having your support ticket handled by an outsourcing firm. You don’t get to audit whether that firm’s employees are using properly secured devices. You simply have to trust that the service you’re paying for has made good decisions about who gets access to your data.
The Crunchyroll breach is a clear demonstration of why that trust is often misplaced. A single compromised device at a third-party vendor gave an attacker access to 100GB of user data across multiple internal systems. The chain of trust — from user to Crunchyroll to Sony to Telus International to an individual employee’s laptop — had too many links and not enough controls.
What Affected Users Should Do
If you’ve ever contacted Crunchyroll customer support, your data may be part of this breach. Check Have I Been Pwned to verify whether your email address appears in the dataset.
- Change your Crunchyroll password and any other accounts using the same credentials
- Enable multi-factor authentication on Crunchyroll and your email accounts
- Watch for targeted phishing — attackers with access to your support conversations know what issues you’ve reported and can craft convincing follow-up emails
- Be cautious of “Crunchyroll security” emails asking you to verify your account or click links. Go directly to the site instead
When a company outsources its operations, it outsources its security risks too. The difference is that when things go wrong, it’s your data on the line — not theirs.