Crunchyroll just got breached, and it didn’t start inside its systems. It came through a vendor.
According to a March 23 report from BleepingComputer, hackers revealed they had compromised the account of a third-party Crunchyroll support agent, gaining access to internal systems and user data. To prove their claim, they shared samples of the stolen data.
Crunchyroll, a San Francisco-based streaming service with strong operational ties to Japan, has launched an investigation into the breach.
Breach scale: what was allegedly stolen
Rather than attacking Crunchyroll itself, the hackers followed a trend similar to several other breaches: they exploited Telus Digital, a critical third-party vendor. By using malware to compromise a support agent’s computer, they got access to both the agent’s computer and the internal Crunchyroll applications the agent used. This allowed them to exfiltrate support ticket data.
BleepingComputer reports that the hackers shared screenshots as proof of their claim. From these screenshots, it was seen that the attackers accessed the following applications: Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jira Service Management, and Slack.
With access to it, the hackers said they downloaded 8 million support ticket records, which contained 6.8 million unique email addresses.
Although BleepingComputer reported that it deleted the stolen data, it also revealed that the data contained usernames, login names, IP addresses, and general geolocation information. The data also revealed the contents of each support ticket, including those that contained credit card information.
However, only a few of these credit card numbers were in full, as most displayed just the last four digits.
Why breach a third-party vendor?
Compromising a third-party vendor follows a common trend among threat actors.
Because many organizations outsource many of their operations to third-party vendors through Business Process Outsourcing (BPO), they typically become prime targets due to the potentially compromising data they hold. In cybersecurity, this is referred to as a supply-chain risk.
In the case of Telus Digital, it isn’t the first time they’ve been compromised. Earlier this month, a separate alleged breach hit its networks, with approximately 1 petabyte of data stolen, a breach that’s far larger than that of the Crunchyroll breach. While these attacks are separate, situations like this underscore the indirect role BPOs play in corporate breaches.
What has Telus Digital and Crunchyroll said so far
TechCrunch reports that Crunchyroll has made no comment on whether the breach involved Telus Digital, and Telus Digital has remained silent.
According to the attackers’ report to BleepingComputer, access to the compromised account was revoked after 24 hours, likely following the detection of anomalies. As a result, the hackers could only access data up to mid-2025. Reacting to the hackers’ announcement, Crunchyroll told BleepingComputer:
“We are aware of recent claims and are currently working closely with leading cybersecurity experts to investigate the matter.”
Responding to the breach and its scope, it was later announced:
“Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor.”
Validating the hacker’s claims of being locked out later, Crunchyroll also added: “We have not identified evidence of ongoing access to systems in relation to these claims. We are continuing to monitor the situation closely.”
So far, there has been no report indicating that affected customers have been contacted, but we expect this to happen once investigations are finalized.
The cost of trusted access
The breach points to a familiar, yet persistent security challenge. Attackers don’t always need to directly hit a company when they can compromise a weaker third-party vendor. As this attack shows, third-party access can provide a backdoor into the sensitive user data of companies with solid internal security.
For organizations that rely on outsourcing, the Crunchyroll-Telus Digital breach is a reminder that vendor security isn’t optional, but essential to protecting business continuity and user trust.
Also read: A recent third-party customer service breach exposed data tied to 38 million ManoMano customers, underscoring how vendor access can widen breach fallout.
