Crunchyroll is investigating claims that a threat actor stole data tied to roughly 6.8 million users after allegedly compromising the Okta SSO account of a support agent associated with Telus International. According to the claims, malware on the agent’s device exposed credentials that were then used to access multiple internal and support platforms, including Zendesk, Slack, Google Workspace Mail, Mixpanel, MaestroQA, Wizer, and Jira Service Management. The attacker said they downloaded about 8 million Zendesk support ticket records and attempted to extort Crunchyroll for $5 million, while public reporting and dark web monitoring also pointed to circulation of sample Crunchyroll-related data in criminal forums.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Have I Been Pwned reported receiving a subset of 1.2 million email addresses from an alleged 2 million record dataset tied to the Crunchyroll breach. This represents a later disclosure of breach data beyond the initial reports about the larger Zendesk support ticket exposure.
Crunchyroll said customer information leaked online over the weekend is legitimate and appears to be primarily customer service ticket data linked to an incident involving a third-party vendor. The company said its investigation with cybersecurity experts is ongoing and that it has found no evidence of ongoing access to its systems.
Separate public reporting linked the exposure to Telus, and Telus Digital acknowledged it was investigating unauthorized access affecting a limited number of systems. This response did not validate the full set of claims made about Crunchyroll data exposure.
Crunchyroll was reported to be probing the incident after the threat actor's claims became public. As of the reporting, the company had not publicly confirmed the full scope of the alleged breach.
Reports of a possible Crunchyroll breach emerged publicly after social media posts and an alleged hacker forum listing advertised Crunchyroll-related data. SOCRadar said it observed a dark web post circulating masked email addresses and masked IP addresses as sample data.
The threat actor claimed it sent Crunchyroll extortion emails demanding $5 million after the alleged data theft. According to the report, the company did not respond to those demands.
The same actor alleged it maintained access for about 24 hours and downloaded roughly 8 million Zendesk support ticket records tied to about 6.8 million people. Reported exposed data included names, login names, email addresses, IP addresses, geographic information, ticket contents, and limited payment card data only where users had manually entered it in tickets.
A threat actor claimed it infected a Telus International support agent's device with malware and used the stolen credentials to access the agent's Okta SSO account. The alleged access reportedly opened multiple Crunchyroll-related internal and support platforms, including Zendesk, Slack, Google Workspace Mail, Mixpanel, MaestroQA, Wizer, and Jira Service Management.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
9 references tracked. Mallory keeps watching after this page renders.
haveibeenpwned.com
Open sourcetechrepublic.com
Open sourcedatabreaches.net
Open sourcecnet.com
Open sourcetherecord.media
Open sourcetechcrunch.com
Open sourcesocradar.io
Open sourcecnet.com
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.