Hackers: We breached Crunchyroll, stole 7 million users’ data

Crunchyroll, the popular anime streaming platform, is currently investigating an alleged breach that may have led to the leak of personal data belonging to 6.8 million of its users.

The user data stolen from Crunchyroll appears to have been obtained by exploiting vulnerabilities in a third-party company, Telus International, to which Crunchyroll outsources its customer support.

“We are aware of the recent allegations and are currently working closely with leading cybersecurity experts to investigate this matter,” Crunchyroll said in a statement.

The cybersecurity selling point Computer beeping says the hacker contacted them to provide information and proof of the stolen data.

The hacker claims to have infected a customer support agent’s computer with malware and gained access to the employee’s Okta login information. From there, the hacker gained access to several accounts that Crunchyroll has with other third-party services such as Zendesk, Google Workspace Mail, Slack, Mixpanel, Jiro Service Management, Wizer, and MaestroQA.

According to the hacker, the breach occurred on March 12 and his access was revoked after 24 hours. However, during this period, the hacker downloaded 8 million support ticket records from Crunchyroll’s Zendesk account. There were 6.8 million unique email addresses included in these tickets.

The hacker showed screenshots from Bleeping Computer detailing the types of personal information allegedly stolen from Crunchyroll users, including full names, usernames, email addresses, IP addresses, general geographic location, and what was included in support tickets. Credit card information does not appear to have been stolen; however, if a user provided the last four digits of their card number or card expiration date in a support ticket, that information would be among the stolen data.

The hacker claims to have sent a $5 million ransom to Crunchyroll for the data, but the hacker claims he has not received a response from the company.

This Tweet is currently unavailable. It may be loading or has been deleted.

The International Cyber ​​Digest account on X also common that they received a screenshot of the breach from the hacker. The account also reported that 100 GB of data was stolen.

According to the cybersecurity company SOCRadara message was published on a hacker forum on the same day of the alleged hack, titled “Crunchyroll email and IP”. The message included obfuscated data samples, purportedly from data stolen in the breach.

Interestingly, Telus also had confirmed with Bleeping Computer on March 12, that the company had suffered a breach from the notorious hacker group ShinyHunters. However, the Crunchyroll-related breach at Telus is believed to be unrelated to the hacker group.

Crunchyroll has not yet issued a statement or acknowledgment of the potential violation to its users.