Crunchyroll’s Security Breach: Hacker Claims to Have Stolen Data of 6.8 Million Users

Crunchyroll, a popular anime streaming platform, is currently conducting an investigation into a security breach where hackers claim to have compromised personal information for approximately 6.8 million individuals.

According to a statement provided to BleepingComputer, Crunchyroll stated, “We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter.”

The breach allegedly occurred on March 12th at 9 PM EST when threat actors gained access to the Okta SSO account of a support agent affiliated with Crunchyroll. This support agent, reportedly an employee of the Telus International business process outsourcing (BPO) company, had access to Crunchyroll support tickets. The hackers claimed to have used malware to infiltrate the agent’s computer and obtain their credentials.

Through these credentials, the attackers were able to access various Crunchyroll applications, including Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jiro Service Management, and Slack.

Exploiting this access, the threat actors allegedly downloaded 8 million support ticket records from Crunchyroll’s Zendesk instance, with 6.8 million unique email addresses among them.

Screenshots shared with BleepingComputer revealed that the support tickets contained a range of information, such as the user’s name, login name, email address, IP address, general geographic location, and the content of the support tickets.

While initial reports suggested that credit card details were exposed, it was later confirmed that only customers who shared their credit card information in support tickets had their details compromised. This typically included partial information like the last four digits or expiration dates, with few instances of full card numbers being exposed.

The support tickets reviewed by BleepingComputer all referenced Telus, aligning with the hacker’s claim of compromising a BPO employee.

Heightened Targeting of BPOs by Threat Actors

In recent years, business process outsourcing companies have become prime targets for cybercriminals due to their involvement in handling customer support, billing, and internal authentication systems for multiple entities.

This has enabled threat actors to breach a single BPO employee’s account and gain access to extensive customer and corporate data spanning multiple organizations.

Various tactics have been employed by threat actors to exploit BPO vulnerabilities, including bribing insiders with legitimate access, social engineering support personnel, and compromising BPO employee accounts to infiltrate internal systems.

Notably, attackers once impersonated an employee to persuade a Cognizant help desk support agent to grant access to a Clorox employee account, leading to a network breach.

Major retailers have also fallen victim to social engineering attacks against support staff, resulting in ransomware incidents and data theft. Marks & Spencer and Co-op are among the companies that disclosed such breaches.

In response to these attacks, the U.K. government issued guidance on combating social engineering attacks against help desks and BPOs.

Instances where hackers directly target BPO employee accounts have also been documented, such as the Discord data breach that exposed data from 5.5 million users after compromising its Zendesk support system.