Last last night, it was reported that Crunchyroll had been breached, resulting in user information possibly being exposed. As the world's largest anime streaming platform, the reports, which stemmed from a post by International Cyber Digest, caused anxiety among the platform's millions of users.
While there was initially little firm information about the hack, BleepingComputer has now shared more specific details, including exactly what information was stolen in the data breach.
BleepingComputer confirms that the threat actor was able to breach Crunchyroll on March 12 after gaining access to the Okta SSO account of a support agent working for Crunchyroll, allegedly an employee of the Telus International buisness process outsourcing company. After using malware to infect the agent's computer, they were able to gain access to their credentials and various Crunchyroll applicaitons, Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jiro Service Management, and Slack.
The attackers claim to have downloaded 8 million support tickets form Crunchyroll's Zendesk instance, which allegedly contain 6.8 million unique addresses. Samples of support tickets sent to BleepingComputer and then deleted contain information such as the Crunchyroll user's name, login name, email address, IP address, general geographic location, and other contents of the support tickets.
BleepingComputer also confirms that credit card details "were exposed only when the customer shared them in the support ticket" and that "only a few contained full card numbers." Most of these emails included basic information such as the last four digits and expiration dates of the credit cards. The attacker had their access revoked after 24 hours, but it was enough time to steal data up to mid-2025. Crunchyroll had over 17 million paid members as of March 2025.
As a precaution, all Crunchyroll members would be wise to take proper safety precautions following the breach. This includes everything from changing your account passwords to enabling two-factor authentication and monitoring bank and credit card statements.
This is, unfortunately, the second time in as many years that Crunchyroll members have had to worry about their personal data being exposed by a data breach. In January of last year, login credentials of many of the site' s members were reportedly posted online, although Crunchyroll refuted the reports and said there was no evidence that their internal systems were breached. The company said any emails or passwords posted online were likely reused from other leaks.
As always, we'll continue to monitor the situation and share any updates as they come through. In the meantime, stay vigilant.