Blog Details

Standard anime streaming platform Crunchyroll is investigating a breach after hackers claimed to enjoy stolen non-public recordsdata for about 6.8 million other folks.

“We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter,” Crunchyroll initially informed BleepingComputer.

“Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor,” Crunchyroll shared in a later assertion.

“We have not identified evidence of ongoing access to systems in relation to these claims. We are continuing to monitor the situation closely.”

This assertion comes after a risk actor contacted BleepingComputer final Thursday and claimed they breached Crunchyroll on March 12th at 9 PM EST, after getting salvage entry to to the Okta SSO legend of a assist agent working for Crunchyroll.

This assist agent is allegedly an worker of the Telus Global industry project outsourcing (BPO) firm, who has salvage entry to to Crunchyroll assist tickets. The risk actors claimed to enjoy primitive malware to contaminate the agent’s computer and assemble salvage entry to to their credentials.

From screenshots shared with BleepingComputer, these credentials gave salvage entry to to assorted Crunchyroll applications, along side Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jiro Carrier Administration, and Slack.

The use of this salvage entry to, the attackers dispute they downloaded 8 million assist ticket data from Crunchyroll’s Zendesk occasion. Of these data, there are allegedly 6.8 million recurring e mail addresses.

Samples of the assist tickets viewed by BleepingComputer after which deleted enjoy a big diversity of recordsdata, along side the Crunchyroll consumer’s title, login title, e mail tackle, IP tackle, total geographic space, and the contents of the assist tickets.

While assorted experiences on the incident claim that bank card recordsdata became once uncovered, BleepingComputer has confirmed that bank card facts had been uncovered handiest when the buyer shared them in the assist ticket.

For basically the most phase, this integrated handiest fundamental recordsdata, such because the final four digits or expiration dates, and handiest a few contained fleshy card numbers, in accordance with the risk actor.

The assist tickets viewed by BleepingComputer all reference Telus, supporting the risk actor’s claim that they compromised a BPO worker.

The attacker says their salvage entry to became once revoked after 24 hours, permitting them to take knowledge up to mid-2025.

The hacker claims to enjoy despatched extortion emails to Crunchyroll, annoying $5 million in substitute for no longer publicly leaking the data, however did no longer salvage a response from the firm.

While this attack focused a Telus worker, BleepingComputer became once informed it became once no longer linked to the large breach at Telus Digital by the ShinyHunters extortion gang.

Cybersecurity expert BPOs are a excessive-ticket goal

Enterprise project outsourcing firms enjoy change into excessive-ticket targets for risk actors in some unspecified time in the future of the final few years, as they customarily tackle buyer assist, billing, and inside of authentication systems for multiple firms.

As a end result, risk actors can compromise a single BPO worker and assemble salvage entry to to immense quantities of buyer and company knowledge across multiple firms.

In the previous One year, risk actors enjoy exploited BPOs by bribing insiders with legitimate salvage entry to, social engineering assist workers into granting unauthorized salvage entry to, and compromising BPO worker accounts to attain inside of systems.

In a single in every of basically the most popular cases, attackers posed as an worker and contented a Cognizant succor desk assist agent to grant them salvage entry to to a Clorox worker legend, allowing them to breach the firm’s community.

Foremost retail outlets also confirmed that social engineering attacks against assist personnel enabled ransomware and knowledge theft attacks.

Marks & Spencer confirmed that attackers primitive social engineering to breach its networks, while Co-op disclosed knowledge theft following a ransomware attack that in an identical trend abused assist workers’s salvage entry to.

Per the attacks on M&S and Co-op retail firms, the U.Okay. authorities issued steering on social engineering attacks against succor desks and BPOs.

In some cases, hackers goal the BPO worker accounts themselves to assemble salvage entry to to the buyer knowledge they put together.

In October, Discord disclosed an recordsdata breach that allegedly uncovered knowledge from 5.5 million recurring users after its Zendesk assist machine occasion became once compromised.

Substitute 3/23/25 7:51 PM ET: Up in the past account with extra assertion from Crunchyroll.