Crunchyroll Breach Exposes Millions: Hackers Target BPO Employee Access

Crunchyroll, one of the world’s leading anime streaming platforms, is grappling with a major security incident after hackers claimed to have accessed personal data belonging to roughly 6.8 million users. The breach reportedly originated from a compromised support agent account at a business process outsourcing (BPO) firm, highlighting the rising threat to companies that rely on third-party vendors for customer support and internal operations.

How the Breach Happened

According to reports shared with BleepingComputer, the attack took place on March 12th at 9 PM EST when threat actors gained access to an Okta SSO account of a Crunchyroll support agent. This employee worked for Telus International, a BPO company responsible for handling Crunchyroll support tickets. Hackers allegedly infected the agent’s computer with malware, harvesting credentials that provided entry to multiple Crunchyroll systems, including Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jiro Service Management, and Slack.

With this access, the attackers reportedly downloaded 8 million support ticket records from Crunchyroll’s Zendesk instance, identifying 6.8 million unique email addresses. These tickets contained a variety of user information such as names, login credentials, email addresses, IP addresses, general geographic locations, and the actual support ticket content. While some claims suggested credit card exposure, BleepingComputer confirmed that full credit card numbers were rarely included, mostly limited to details voluntarily shared in support tickets, like the last four digits or expiration dates.

The attackers claim their access was revoked after 24 hours, allowing them to steal data spanning up to mid-2025. They also reportedly sent extortion emails to Crunchyroll demanding $5 million to prevent public disclosure, but the company did not respond.

BPOs as High-Value Targets

Business process outsourcing companies have increasingly become high-value targets for cybercriminals. They often handle sensitive customer support, billing, and authentication systems for multiple clients. This centralization of data means that compromising a single BPO employee can grant attackers access to large volumes of corporate and customer data.

In recent years, threat actors have exploited BPOs through bribery, social engineering, and direct compromise of employee accounts. Notable incidents include attackers posing as employees to gain network access at Cognizant for Clorox, social engineering attacks targeting Marks & Spencer and Co-op retail staff, and the October Discord breach that exposed data of 5.5 million users via its Zendesk instance. These cases emphasize the vulnerability of third-party access channels and the importance of robust security measures.

What Undercode Say:

This Crunchyroll incident underscores a critical evolution in cyber threats: attackers are increasingly leveraging weak links in vendor ecosystems rather than targeting companies directly. BPOs, despite often being less secure than their client organizations, have access to sensitive systems that make them high-value targets. The reliance on support agents with extensive internal privileges means that malware infections or credential theft can lead to massive data leaks in a matter of hours.

Additionally, the attack highlights the limits of perimeter security. Even with strong internal defenses, a single compromised agent account can bypass standard protections. Organizations must implement zero-trust principles, continuous monitoring, and strict access controls for vendor accounts. Multi-factor authentication alone may not suffice if malware captures session tokens or credentials in real time.

The public disclosure of stolen support tickets, even without full financial data, can have significant implications. Personal data, IP addresses, and support histories can be used for phishing, identity theft, or social engineering campaigns targeting both Crunchyroll users and other organizations. Attackers can chain this information with breaches from other platforms, amplifying risk.

BPOs themselves must adopt proactive security training and insider threat monitoring, while clients need real-time auditing of vendor access. The Crunchyroll case also stresses the importance of incident response coordination across third-party providers. Companies that fail to act quickly may face reputational damage, regulatory scrutiny, and potential financial liability.

In a broader context, this breach reflects the ongoing arms race between cybercriminals and organizations. As attackers refine tactics—using malware, social engineering, and insider exploits—companies must anticipate multi-vector attacks and prepare defenses that extend beyond their own walls.

Fact Checker Results:

✅ Reports confirm Crunchyroll’s investigation and engagement with cybersecurity experts.
✅ The breach exploited a BPO employee account, not Crunchyroll’s core infrastructure.
❌ Claims of widespread credit card exposure are mostly inaccurate; only limited financial data shared voluntarily was at risk.

Prediction:

📌 Expect further targeting of BPOs in 2026 as attackers realize that a single employee compromise can yield massive access to multiple clients.
📌 Companies may begin mandating stricter zero-trust controls and enhanced endpoint security for vendor staff.
📌 Public awareness campaigns on phishing and social engineering risks will likely increase, especially in industries relying heavily on outsourced support.

This breach is a stark reminder that in today’s interconnected business ecosystem, a chain is only as strong as its weakest link—and often, that link is a trusted third-party employee.